Jump to content

Spotfire - Javascript API - Cross Site/SameSite Cookies

Tyger Guzman 2

Recommended Posts

I've used thehttps://community.spotfire.com/wiki/tibco-spotfire-javascript-api-overviewto view Spotfire reports in html/aspx pages.


Today after clearing all cache and cookies / browsing historyall my pages stopped loaded getting an error of :


A cookie associated with a cross-site resource at https://server.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

And Spotfires onReadyCallback funcitonreturning :

Status not OK. ERROR: Third party cookies must be allowed for domain 'https://server.com'.

I've triedBlock third-party cookies settings on Chrome toggling the settings , adding sites to the ALLOW section with no luck.

Looking at Chrome Release notes there was changes after version 80 that are suppose to block SameSite/CrossSite cookeis that don't have the SAMESITE attribute. I'm at a loss on how to update the HTML/ASPX/Javascript below to accomidate that. I've been running the version80.0.3987.132 of chrome for a while now and didn't have any trouble till today when doing a full browswer history clear.


Does anyone have any suggestions







Spotfire Template




/*Style the Divs that will hold the Spotfire Pages */

#Element1 {

padding: 0;

margin: 0 auto;

width: 100%;

height: 1090px;


#Element2 {

padding: 0;

margin: 0 auto;

width: 100%;

height: 1090px;









//Specify Parameters

var app;

var doc;

var webPlayerServerRootUrl = "https://server.com/spotfire/wp/";

var analysisPath = "/Folder/Analysis";

var parameters = '';

var reloadInstances = false;

var apiVersion = "7.14";

var customizationInfo = {

showAbout: false,

showAnalysisInformationTool: false,

showAuthor: false,

showClose: false,

showCustomizableHeader: false,

showDodPanel: false,

showExportFile: false,

showExportVisualization: false,

showFilterPanel: false,

showHelp: false,

showLogout: false,

showPageNavigation: false,

showReloadAnalysis: false,

showStatusBar: false,

showToolBar: false,

showUndoRedo: false


//Declare more variables to add additonal Spotfire Pages

var view0;

var view1;

spotfire.webPlayer.createApplication(webPlayerServerRootUrl, customizationInfo, analysisPath, parameters, reloadInstances, apiVersion, onReadyCallback, onCreateLoginElement);

function onReadyCallback(response, newApp) {

app = newApp;

if (response.status === "OK") {

// The application is ready, meaning that the api is loaded and that the analysis path is validated for the current session (anonymous or logged in user)

console.log("OK received. Opening document to page 0 in element renderAnalysis")

//Add Items here for more pages , You can use Integers for Page Index or Title of Pages {First Element is the DIV ID and second is the PageName/PageIndex}

view0 = app.openDocument("Element1", 0);

view1 = app.openDocument("Element2", 1);

} else {

console.log("Status not OK. " + response.status + ": " + response.message)



function onError(error) {

console.log("Error: " + error);


function onCreateLoginElement() {

console.log("Creating the login element");

// Optionally create and return a div to host the login button

return null;


Link to comment
Share on other sites

This is due to a change in the behavior of the Chrome browser (and other browsers are likely to follow).

For more information, and instructions on how to resolve it depending on your use case, see this Support article:https://support.tibco.com/s/article/Tibco-Spotfire-JavaScript-Mashup-API-stops-working-in-Chrome-due-to-SameSite-problem

Link to comment
Share on other sites

I assume that your mashup and the Spotfire Server are not hosted under the same domain (like mashup.example.com and server.example.com) If they had been then you probably wouldn't have had any problems since it appears that you're using https.


This means that you will have to disable SameSite cookies on your Spotfire Server according to the instructions here. Note that a prerequisite is to be on LTS 7.11.9, LTS 10.3.6, 10.8.0, or later mainstream versions since a recent Tomcat version is needed (and that is included with the mentioned Spotfire Server versions).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...