Spotfire - Javascript API - Cross Site/SameSite Cookies

[Tyger Guzman 2]

I've used thehttps://community.spotfire.com/wiki/tibco-spotfire-javascript-api-overviewto view Spotfire reports in html/aspx pages.

 

Today after clearing all cache and cookies / browsing historyall my pages stopped loaded getting an error of :

 

A cookie associated with a cross-site resource at https://server.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

And Spotfires onReadyCallback funcitonreturning :

Status not OK. ERROR: Third party cookies must be allowed for domain 'https://server.com'.

I've triedBlock third-party cookies settings on Chrome toggling the settings , adding sites to the ALLOW section with no luck.

Looking at Chrome Release notes there was changes after version 80 that are suppose to block SameSite/CrossSite cookeis that don't have the SAMESITE attribute. I'm at a loss on how to update the HTML/ASPX/Javascript below to accomidate that. I've been running the version80.0.3987.132 of chrome for a while now and didn't have any trouble till today when doing a full browswer history clear.

 

Does anyone have any suggestions

 

 

 

 

 

 

Spotfire Template

 

 

 

/*Style the Divs that will hold the Spotfire Pages */

#Element1 {

padding: 0;

margin: 0 auto;

width: 100%;

height: 1090px;

}

#Element2 {

padding: 0;

margin: 0 auto;

width: 100%;

height: 1090px;

}

 

 

 

 

 

 

 

//Specify Parameters

var app;

var doc;

var webPlayerServerRootUrl = "https://server.com/spotfire/wp/";

var analysisPath = "/Folder/Analysis";

var parameters = '';

var reloadInstances = false;

var apiVersion = "7.14";

var customizationInfo = {

showAbout: false,

showAnalysisInformationTool: false,

showAuthor: false,

showClose: false,

showCustomizableHeader: false,

showDodPanel: false,

showExportFile: false,

showExportVisualization: false,

showFilterPanel: false,

showHelp: false,

showLogout: false,

showPageNavigation: false,

showReloadAnalysis: false,

showStatusBar: false,

showToolBar: false,

showUndoRedo: false

};

//Declare more variables to add additonal Spotfire Pages

var view0;

var view1;

spotfire.webPlayer.createApplication(webPlayerServerRootUrl, customizationInfo, analysisPath, parameters, reloadInstances, apiVersion, onReadyCallback, onCreateLoginElement);

function onReadyCallback(response, newApp) {

app = newApp;

if (response.status === "OK") {

// The application is ready, meaning that the api is loaded and that the analysis path is validated for the current session (anonymous or logged in user)

console.log("OK received. Opening document to page 0 in element renderAnalysis")

//Add Items here for more pages , You can use Integers for Page Index or Title of Pages {First Element is the DIV ID and second is the PageName/PageIndex}

view0 = app.openDocument("Element1", 0);

view1 = app.openDocument("Element2", 1);

} else {

console.log("Status not OK. " + response.status + ": " + response.message)

}

}

function onError(error) {

console.log("Error: " + error);

}

function onCreateLoginElement() {

console.log("Creating the login element");

// Optionally create and return a div to host the login button

return null;

}

[Jens Borgland]

This is due to a change in the behavior of the Chrome browser (and other browsers are likely to follow).

For more information, and instructions on how to resolve it depending on your use case, see this Support article:https://support.tibco.com/s/article/Tibco-Spotfire-JavaScript-Mashup-API-stops-working-in-Chrome-due-to-SameSite-problem

[Tyger Guzman 2]

I'm not entirely understanding the instructions on the resolution Could you elaborate on what needs to be checked/updated 

[Jens Borgland]

I assume that your mashup and the Spotfire Server are not hosted under the same domain (like mashup.example.com and server.example.com) If they had been then you probably wouldn't have had any problems since it appears that you're using https.

 

This means that you will have to disable SameSite cookies on your Spotfire Server according to the instructions here. Note that a prerequisite is to be on LTS 7.11.9, LTS 10.3.6, 10.8.0, or later mainstream versions since a recent Tomcat version is needed (and that is included with the mentioned Spotfire Server versions).

[Tyger Guzman 2]

Thank you for the information. I'm on LTS 10.3.1 does this mean there is no fix  

[Jens Borgland]

There is a fix - but the first step would be to upgrade to10.3.6 or later. Note that a security advisory was recently announced so you should upgrade to 10.3.7 or later anyway.