|
Rank: Member Groups: Member
Joined: 2/12/2020 Posts: 14
|
We use EO.WebBrowser to access a website that is currently impacted by a recent change to Chrome/Chromium default SameSite cookie behavior settings. In order to workaround the issue, we need to change the Chrome flag #cookies-without-same-site-must-be-secure to disabled. We cannot figure out a way to do this with EO.WebBrowser. We have tried: EO.WebEngine.Engine.Default.Options.ExtraCommandLineArgs = "--disable-features=cookieswithoutsamesitemustbesecure"; _oWebControl.WebView.Engine.Options.ExtraCommandLineArgs = "--disable-features=cookieswithoutsamesitemustbesecure"; (instance) along with several other syntax variants including: "--disable-features=CookiesWithoutSameSiteMustBeSecure" "--disable-features=cookies-without-same-site-must-be-secure" "--disable-cookies-without-same-site-must-be-secure" According to the chromium website, https://samesite-sandbox.glitch.me/ can be used to test this setting. The default setting of enabled causes this site to display all green checkmarks. When set to disabled, the site should show a few red X's with invalid on the center row. Is there a way to configure EO.WebBrowser to disable this flag?
|
|
Rank: Advanced Member Groups: Member
Joined: 9/20/2016 Posts: 73
|
absoffthewake, you need to use this option only once. If you want to disable several features - use delimiter. For example: Runtime.DefaultEngineOptions.ExtraCommandLineArgs = "--disable-features=SameSiteByDefaultCookies, PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies ";
or
Runtime.DefaultEngineOptions.ExtraCommandLineArgs = "--disable-features=SameSiteByDefaultCookies";
All works:)
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
To rainstuff, thanks for helping!
|
|
Rank: Member Groups: Member
Joined: 2/12/2020 Posts: 14
|
@rainstuff Thank you for your help. Unfortunately it did not work for me. The SameSiteByDefaultCookies flag is distinct from the one we need and it does not fix the issue we are having with the problematic website. I also tried this command (setting it only once) to no avail: Runtime.DefaultEngineOptions.ExtraCommandLineArgs = "--disable-features=CookiesWithoutSameSiteMustBeSecure"; I'm setting this right after initialization, immediately following the AddLicense call. I tried it in other places and it didn't seem to make a difference. Any other ideas? The expected outcome is this website https://samesite-sandbox.glitch.me/ displays red X's in the center row. Is that the outcome you had?
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi, We tested this and rainstuff's respond seems to be correct. SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure are two different but related options. CookiesWithoutSameSiteMustBeSecure is only enabled when SameSiteByDefaultCookies. As such just disabling SameSiteByDefaultCookies would disable both. We added the following code to App.xaml.cs
Code: C#
EO.WebEngine.EngineOptions.Default.ExtraCommandLineArgs = "--disable-features=SameSiteByDefaultCookies";
Before this line:
Code: C#
MainWindow mainWnd = new MainWindow();
The result is all the first four cookies (ck00, ck01, ck02, ck03) are set both for the site itself and cross site. This is exactly the legacy behavior before SameSite attribute is introduced. The last two cookies (ck04 and ck05) are not affected because their SameSite value is explicitly set to Lax/Strict. Thanks!
|
|
Rank: Member Groups: Member
Joined: 2/12/2020 Posts: 14
|
This is the expected outcome on the test site when you disable the Chrome Flag CookiesWithoutSameSiteMustBeSecure: When you click the i icon, you should receive the error description: SameSite=None without Secure should be rejected. I am unable to reproduce this behavior in EO.WebBrowser. It is "IBC Compliant" when the samesite=none is rejected. No matter how I set EO, it rejects and therefore is IBC Compliant. In other words, I get all green checkboxes no matter how I configure it. The goal is to allow nonsecure samesite cookies, which should result in a test failure on the test site unless I am missing something. Please advise.
|
|
Rank: Member Groups: Member
Joined: 2/12/2020 Posts: 14
|
Turns out it was a bug in our code. I overlooked a line of code another dev added while troubleshooting that cleared the ExtraCommandLineArgs parameter in the newly created WebControl object.
This syntax worked: EO.WebEngine.EngineOptions.Default.ExtraCommandLineArgs = "--disable-features=CookiesWithoutSameSiteMustBeSecure";
Thank you!
|
|
Rank: Member Groups: Member
Joined: 2/12/2020 Posts: 14
|
Also had to add it to the App startup as mentioned as it would not apply the setting until the 2nd iteration.
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Great. Glad to hear that it worked for you!
|
|