CORB error with Chrome 80 SameSite cookies
Ensure that a mashup displays as intended by resolving the Cross-Origin Read Blocking (CORB) error with SameSite cookies in Chrome 80.
Condition
Users that use a Pega web mashup in a Chrome session with the
SameSite
secure cookie attribute set to None
or to Strict
experience the Cross-Origin Read Blocking (CORB)
error.
The error message reads as follows:
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://********/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=cf4bf40cc749310addc30ad4a5d8a8da8f527e446e4c7aed0d9ddacebc22fc865032be060df4542d53cc37376de8e4b46b3831dec248c3606364118229dc8a9df1271e976a2d6094f7d227f2025f4ff5aebd1374ba29b875bfeddf86e4ba0b3d3da2d045be018a9499549d3dc91494b27f576e4ecdf76e2b5c6f66ea5c20ea20c018c629bf31fe0bf97655abe161018af7c308b50cf948fdc10e597dc5da47e0ff28e2bd87514c41bffdbf70f2968ebb1c97b6997e1a2e7268aa63ccea0a8127*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>
Cause
In February 2020, Google Chrome 80 implemented a secure cookie model, changing
the default value of the SameSite
cookie attribute from
None
to Lax
. This change negatively
affects all deployments that use Pega web mashups running on Pega Platform 7.2 and later, which require the prescribed
solution.
Solution
- Apply a hotfix or update to a Pega Platform Patch Release:
- Obtain and install the hotfixes for Pega Platform 7.2.x to 7.4, or update to the
designated Pega Platform 8.x Platform
Patch Release.
Pega Platform Release Hotfix or Platform Patch Release 7.2 HFix-60723 7.2.1 HFix-60801 7.2.2 HFix-60346 7.3 HFix-60724 7.3.1 HFix-60725 7.4 HFix-60726 8.1.x Pega 8.1.9 8.2.x Pega 8.2.8 8.3.x Pega 8.3.4 8.4.x Pega 8.4.3 8.5.x Pega 8.5.1 - Create a dynamic system setting with the following
properties:
- Owning Ruleset: Pega-Engine
- Setting Purpose: security/csrf/samesitecookieattributevalue
- Value: none
For more information, see Creating a dynamic system setting.
- For Pega Platform 8.2 and earlier
releases, restart the server for the dynamic system setting to
take effect.For Pega Platform 8.3 and later releases, when you add or update the security/csrf/samesitecookieattributevalue dynamic system setting, you do not need to restart the server or clustered servers.
- Obtain and install the hotfixes for Pega Platform 7.2.x to 7.4, or update to the
designated Pega Platform 8.x Platform
Patch Release.
Previous topic Troubleshooting browser-specific issues with mashups Next topic Chrome CORB issue