iframe works in Firefox, not Chrome

[beef]

Hello all!

I have a wiki (Mediawiki v1.35.1) that works when unframed – that is, when not embedded as an iframe.

When iframed, the wiki login form:

…works with:

• Firefox, 85.0 Linux
• Firefox, 86.0 Windows

…and does NOT work with:

• Chrome, 89.0 Windows

 

“Not working” means authentication is blocked and this error is displayed:

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form."

I suspect clickjacking defenses are involved.

My Apache (v2.4.6) headers:

Header set Access-Control-Allow-Origin "*"
Header set Content-Security-Policy "frame-ancestors 'self' *.shotgunstudio.com"
Header unset X-Frame-Options

shotgunstudio.com is the embedding domain. Both my wiki and shotgunstudio have valid SSL.

My wiki LocalSettings.php settings:

$wgEditPageFrameOptions = false;
$wgApiFrameOptions =false;
$wgCookiePrefix = "wiki";
$wgBreakFrames = false;

I am especially puzzled by the difference between Firefox and Chrome.

Any ideas on how to fix this?

Sincerely,

Wellington

[beef]

Ah! Someone gave me the answer!

Chrome recently applied a new default of "lax" to the "SameSite" parameter of cookies.   Lax was not lax enough; I needed to set SameSite=none.

https://www.mediawiki.org/wiki/Manual:$wgCookieSameSite

$wgCookieSameSite='none';

Thanks!!