If you work with Pega web mashup in a third-party domain in Safari 13.1 and later versions, you might experience problems with displaying your mashups on an external web page. The issue results from Safari blocking third-party cookies.
When you try to display a mashup in a web page that uses Safari 13.1, you see the following error message:
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://********/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=cf4bf40cc749310addc30ad4a5d8a8da8f527e446e4c7aed0d9ddacebc22fc865032be060df4542d53cc37376de8e4b46b3831dec248c3606364118229dc8a9df1271e976a2d6094f7d227f2025f4ff5aebd1374ba29b875bfeddf86e4ba0b3d3da2d045be018a9499549d3dc91494b27f576e4ecdf76e2b5c6f66ea5c20ea20c018c629bf31fe0bf97655abe161018af7c308b50cf948fdc10e597dc5da47e0ff28e2bd87514c41bffdbf70f2968ebb1c97b6997e1a2e7268aa63ccea0a8127*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>
The issue occurs in Pega Platform versions 7.2 to 8.7.
The issue occurs only if the Pega web mashup domain is a third-party domain.
In April 2020, Apple released Safari 13.1, with a security feature that blocks third-party cookies by default. The default setting is Prevent cross site tracking. This setting prevents the embedding of any cross-domain content into the main web page.
If the top-level application domain is different from the Pega domain, Safari 13.1 considers Pega Platform cookies to be third-party.
This change negatively affects all deployments using Pega web mashups running on Pega Platform 7.2 to 8.7, which require the prescribed solution. For security reasons, application users are not recommended to disable the default security setting to use Pega web mashup.
To resolve this issue without dynamic system settings and Pega Platform patch release upgrades, request a Pega Cloud custom domain name. For more information, see
For example: The https://clientsite.com/ top-level application embeds the Pega web mashup https://pega.clientsite.com/prweb/ custom domain in https://<cient_env>-.pegacloud.net.
Because both applications are using the same domain but with different subdomains, the system considers the cookies to be first-party cookies.
Use a proxy configuration in which the web server that hosts the top-level application sends proxy requests to the Pega Cloud servers.
For example: The https://clientsite.com/ top- level application embeds the Pega web mashup https://clientsite.com/prweb/ client web server proxy in https://<cient_env>-.pegacloud.net. Note: Configuring a proxy might be difficult if the web server is hosted in a secure layer, because creating a proxy for Pega Cloud from that layer might require firewall changes, such as changes to the <client_env>-internal.pegacloud.io Pega Cloud client-to-client VPN configuration.
For more information, go to Pega Support.
Select how you want to resolve the issue: