SR-D92877 · Issue 551030
SameSite cookie setting added for Mashup support in Google Chrome v80+
Resolved in Pega Version 8.3.3
The Google Chrome browser version 80 and above now treats SameSite with a blank value as "Lax" by default, causing mashup scenarios to break. In order to compensate for this change, support has been added for setting SameSite=None in Cookie Settings; this value automatically includes the “secure” cookie flag, which enforces HTTPS for the Pega server and mashup. For mashups to work, SameSite should be set as None. Create a Dynamic system setting in the Pega-Engine RuleSet with the name “security/csrf/samesitecookieattributevalue” and the value "None" and restart the server. (The SameSite value "None" works only in secure HTTPS connections.)Note: The SameSite cookie may be set to None/Lax/Strict, based on the requirement. For cookie requirements other than mashup, it should be set as either Strict or Lax, depending upon your application.
SR-D89002 · Issue 549102
SameSite cookie setting updated for pre-authentication
Resolved in Pega Version 8.3.3
In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.
SR-D64523 · Issue 545670
Stream Registration deprecated and replaced
Resolved in Pega Version 8.3.3
Previously, Stream Registration, which was added as an extra layer of protection during the display of stream rules, automatically registered any streams being used in the context and checked this registry during reloadSection/reloadHarness calls to prevent Broken Access Control attacks. However, only an alert was thrown and no further action was being taken on it. With platform added support for URL Tampering, Stream Registration is no longer required and has been deprecated. The URL Tampering function has the capabilities to register for auto/non-auto rules and configure whether to display warning or reject the request for all the activities, and not just the stream rules. Note that URL Tampering will do registration/validation only when security/rejectTamperedRequests is explicitly set to true.
SR-D52604 · Issue 548060
Stream Registration deprecated and replaced
Resolved in Pega Version 8.3.3
Previously, Stream Registration, which was added as an extra layer of protection during the display of stream rules, automatically registered any streams being used in the context and checked this registry during reloadSection/reloadHarness calls to prevent Broken Access Control attacks. However, only an alert was thrown and no further action was being taken on it. With platform added support for URL Tampering, Stream Registration is no longer required and has been deprecated. The URL Tampering function has the capabilities to register for auto/non-auto rules and configure whether to display warning or reject the request for all the activities, and not just the stream rules. Note that URL Tampering will do registration/validation only when security/rejectTamperedRequests is explicitly set to true.
SR-D90284 · Issue 551471
Added 'when' condition to class change in ShowColorPicker activity
Resolved in Pega Version 8.3.3
When using an included color picker control in a section, selecting a color resulted in the color picker pyworkpage class content changing to Embed-Skin-Controls. This has been resolved by modifying the previous behavior of always changing pyWorkPage's obj class as part of the ShowColorPicker activity by adding a 'when' condition to change the class only if it is empty.
SR-D86826 · Issue 549209
Ensured refresh for Cosmos CaseAssignments pzInskey
Resolved in Pega Version 8.3.3
An app built on theme cosmos,pzIsAJAXContainerContext was failing. Investigation showed that D_CaseAssignments was not updating the pzInskey after a post-assignment action, and this has been resolved by ensuring that Assignment and stages are refreshed after submit.
SR-D86694 · Issue 548667
TeamMembersWidget section include corrected for PortalNav
Resolved in Pega Version 8.3.3
An error was seen when attempting to include the pyTeamMembersWidget section inside a pyPortalNav section. Investigation showed there was a data corruption in the section. As a local change, it was possible to 'save as' the section to a ruleset and delete the section embedded in the grid, then drag an embedded section layout from Layouts, add it to the grid row, and select pyTeamMembersWidgetRow. As a permanenet resolution, the corrupted section has now been replaced.
SR-D92913 · Issue 553903
Aria-collapsed replaced with aria-expanded to improve accessibility
Resolved in Pega Version 8.3.3
Previously, the system used the aria-collapsed attribute for the left and right navigation toggling. In order to improve accessibility, this attribute has been changed to aria-expanded and the value will be set to true/false accordingly.
SR-D80696 · Issue 548822
Autocomplete context fetched for dropdown in nested case
Resolved in Pega Version 8.3.3
The autocomplete dropdown was empty when using SmartTip and the down arrow was clicked while opening an autocomplete case within an Interaction case. Opening the service case directly in a new tab populated the dropdown values as expected. This has been corrected by registering context changes just before the content is fetched for the overlay.
SR-D86429 · Issue 551371
Badge text Control Format supports declare expression target
Resolved in Pega Version 8.3.3
In the user screen, some properties are shown in 'Text' control with 'Badge text' control format. When the value of this property was set in Data Transform, it appeared correctly. When the property value was set in Declare Expression, no background color was set. This was traced to a missed use case in the implementation work for vtable, which resulted in the control format mentioned in presentation tab of control not being applied on markup when the property was a declare expression target. This has been corrected.