Issue
- After including an iframe link in a 3rd party application for our clustered Liferay environment (and already setting the appropriate X-Frame-Options), users are experiencing repeated authentication prompts even though they are already logged into Liferay
- In the browser console, we can see errors relating to invalid X-Frame-Options header and restricted access due to cross-origin framing:
Invalid 'X-Frame-Options' header encountered when loading 'https://webserver-url.com/': 'ALLOW-FROM http://localhost:8085/' is not a recognized directive. The header will be ignored. ...
Uncaught DOMException: Failed to read a named property 'href' from 'Location': Blocked a frame with origin "https://webserver-url.com" from accessing a cross-origin frame. ...
Failed to load resource: the server responded with a status of 403
Environment
- Liferay DXP
Resolution
- This issue is caused by a mismatch in SameSite values being applied between the application server's cookies and the web server's cookies, and can be resolved by ensuring the SameSite values are aligned for the configured domains and their associated cookies
Additional Information
- For example, if NGINX is the web server vendor in use, you can add the following to the web server's configuration file within the location tag:
-
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=none";
-
- For more information, please see: