Chrome 80 to render all external iframes blocked from February 4th

Google are releasing an update to chrome in February that will block all iframes on 3rd party domains.

The only way they will be allowed is if a cookie is present with value SameSite=none.

Currently, the cookie is set with SameSite=lax from bubble so they will break.

Is this something we can set with JS our side or even better, set in the settings of bubble app like the “Allow iframe” setting? I’m not sure the role of cloudflare in this and if that causes issues either. Just some clarity will be nice :blush:

You misunderstand this issue. It’s not about iframes, it’s about cookie handling. Resources:

This isn’t a topic of concern unless your app is an embeddable thing that communicates with the hosting page via cookies.

For Google’s thoughts on how such things should be done without cookies, see:

1 Like

Thanks for the clarity Keith. So, Is this issue not the same as an iframe on a 3rd party site then? Say I create something from my bubble app that you can interact with when the iframe is on a 3rd party domain, thus embedded (first party domain would be mine so no issue) then if not marked as SameSite=none, it will throw a console error and not render? Currently all output from bubble is marked SameSite=lax.

I get that content from a iframe will display fine as long as no user interaction or communication from the original site but if you do require data because the iframe is more functional then you will be affected?

I just don’t want to be posting on 4th feb in forum with “it broke…” :joy:

I decided to pull up the app that’s embedded in a third party domain with Chrome 80’s environment set and it does indeed block the resources.

This will affect all embedded iframes and widgets that load within a parent that isn’t same domain and requires resource. Static stuff gets through fine provided it isn’t a result of user interaction (the whole point of the same site tag)

Having dug further, it looks like it will need to be changed on the cfduid cookie set by Cloudflare as that is the offending cookie. They have been discussing it over there (with lots of confusion and anger however the same resonating message, this is only affecting embeds on other domains):

Here is a screenshot of the cookie that is set Lax and below is a cookie i tested that has the correct None tag.

Screenshot 2020-01-31 at 09.03.18

I have emailed Bubble Support.

Regarding Bubblers apps, this won’t affect any apps unless you have functionality where you provide say an iframe/widget that you allow others to embed on their domain and the functionality expects user interaction.

This topic was automatically closed after 70 days. New replies are no longer allowed.

We just rolled out an update allowing the sessions to be maintained for apps displayed inside iframes.

This shouldn’t require any particular change on your end, however this works on our end by setting the Cookies’ SameSite policy to ‘None’.

Since this is a minor security regression, this policy is only set if the settings for ‘Allow to render the app in an frame/iframe (X-Frame-Options)’ is set to ‘Allow all iframes’ (in Settings > General).