Upcoming chrome changes and breaking issues with iframes

Microsoft

There are some upcoming changes being rolled out to chrome in Jan 2020 involving default behavior of the samesite property in cookies, effectively making 3rd party cookies disabled by default.

 

This can be tested now in chrome 76/77 by enabling the feature flags:

  1. go to chrome://flags
  2. search for samesite, there will be 2 flags to enable.
  3. restart browser

I've tested this with the microsoft streaming content iframes and found that this does indeed break the playability of thes iframes. When i click the iframe and load the content in its own browser tab it works. Is there anyone working on a fix for this yet?

 

For those that aren't aware of this change here is a brief summary:

Google is planning to make two changes to how Chrome treats cookies without the SameSite attribute. The default changes from SameSite=None to SameSite=Lax, and SameSite=None requires Secure. This is done to improve overall web security and eliminate certain classes of CSRF attacks. Details about the SameSite attribute can be found here.
 
Changing the default means cookies without an explicit SameSite=None attribute will not be sent in a 3rd party context anymore. This affects identity scenarios in various ways and can affect other app scenarios too.
 
9 Replies

@iabowers I think this might be similar to an existing problem where you cannot play Microsoft Stream embedded videos on iOS Safari. That also seems to involve 3rd party cookies and cross site tracking settings. Hopefully the Stream team can solve this quickly without asking iOS users to change their cookie settings. Getting non-technical users to do that is difficult!

 

We embed Stream videos and when you view the page on iOS the videos show an error "Your browser does not support playback inline. Please open a new window to play this video." When you do that it has the same error. When you click learn more the message talks about changing your 3rd party cookie settings. 

@Victor_98029 Hi, I have the same problem  "Your browser does not support playback inline. Please open a new window to play this video." with embedded video from ms stream. It happened on Safari Ios version 13.1.2, changing the cookie settings won't help to address the issue, however it can address the cookie issue with Safari. The only thing i can do to resolved the problem is to update to the newer ios version 13.2 then the error will be replace by the login screen.

Cookie errors:

clipboard_image_1.png

clipboard_image_2.png

clipboard_image_3.png

 

Ios version 13 playback error:

clipboard_image_0.png

clipboard_image_4.png

 

@iabowers 

Hi there, the next Stream update will include the right flags to ensure that the February Chrome update does not break playback, thanks for reaching out. We appreciate the vigilance :) 

@notstormns That is correct, that specific version of safari had a giant regression that Apple patched soon after. You need to update your version if you wish for the browser to respect your cross-site tracking settings. 

So after this release of Stream we should expect iframed videos working again with the SameSite flags active in Chrome? Anywhere we can track the progress of this?
Thank you for the update! That is reassuring to read :)
Any date for this Stream update so we can test prior to the Chrome release that it solves the issue?

@Amir_Zeierman_Varonis You should have the update now! Everyone please feel free to test it out - if you're having issues show me what version of the web app you're on and in this about Microsoft Stream pop up : 

 
 

about.PNG

@iabowers @Amir_Zeierman_Varonis @granaker @notstormns @Victor_98029 

@Saili Raje Thanks for the update! I've confirmed the update has fixed the issue.