Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Third-party cookies blocked in Safari 13.1

Updated on December 13, 2022
Applicable to Theme Cosmos applications

If you work with Pega web mashup in a third-party domain in Safari 13.1 and later versions, you might experience problems with displaying your mashups on an external web page. The issue results from Safari blocking third-party cookies.

Condition

When you try to display a mashup in a web page that uses Safari 13.1, you see the following error message:

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://********/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=cf4bf40cc749310addc30ad4a5d8a8da8f527e446e4c7aed0d9ddacebc22fc865032be060df4542d53cc37376de8e4b46b3831dec248c3606364118229dc8a9df1271e976a2d6094f7d227f2025f4ff5aebd1374ba29b875bfeddf86e4ba0b3d3da2d045be018a9499549d3dc91494b27f576e4ecdf76e2b5c6f66ea5c20ea20c018c629bf31fe0bf97655abe161018af7c308b50cf948fdc10e597dc5da47e0ff28e2bd87514c41bffdbf70f2968ebb1c97b6997e1a2e7268aa63ccea0a8127*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>

The issue occurs in Pega Platform versions 7.2 to 8.7.

The issue occurs only if the Pega web mashup domain is a third-party domain.

Cause

In April 2020, Apple released Safari 13.1, with a security feature that blocks third-party cookies by default. The default setting is Prevent cross site tracking. This setting prevents the embedding of any cross-domain content into the main web page.

If the top-level application domain is different from the Pega domain, Safari 13.1 considers Pega Platform cookies to be third-party.

This change negatively affects all deployments using Pega web mashups running on Pega Platform 7.2 to 8.7, which require the prescribed solution. For security reasons, application users are not recommended to disable the default security setting to use Pega web mashup.

Solution

    Select how you want to resolve the issue:

  • To resolve this issue without dynamic system settings and Pega Platform patch release upgrades, request a Pega Cloud custom domain name. For more information, see
    For example: The https://clientsite.com/ top-level application embeds the Pega web mashup https://pega.clientsite.com/prweb/ custom domain in https://<cient_env>-.pegacloud.net.

    Because both applications are using the same domain but with different subdomains, the system considers the cookies to be first-party cookies.

  • Use a proxy configuration in which the web server that hosts the top-level application sends proxy requests to the Pega Cloud servers.
    For example: The https://clientsite.com/ top- level application embeds the Pega web mashup https://clientsite.com/prweb/ client web server proxy in https://<cient_env>-.pegacloud.net.
    Note: Configuring a proxy might be difficult if the web server is hosted in a secure layer, because creating a proxy for Pega Cloud from that layer might require firewall changes, such as changes to the <client_env>-internal.pegacloud.io Pega Cloud client-to-client VPN configuration.

    For more information, go to Pega Support.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us