Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Blocked third-party cookies

Updated on December 13, 2022

If you work with Pega Web Mashup in a third-party domain, you might experience problems with displaying your mashups on an external web page. The issue is caused by browsers blocking third-party cookies.

Condition

When you try to display a mashup in a web page, you see the following error message:

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://********/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=cf4bf40cc749310addc30ad4a5d8a8da8f527e446e4c7aed0d9ddacebc22fc865032be060df4542d53cc37376de8e4b46b3831dec248c3606364118229dc8a9df1271e976a2d6094f7d227f2025f4ff5aebd1374ba29b875bfeddf86e4ba0b3d3da2d045be018a9499549d3dc91494b27f576e4ecdf76e2b5c6f66ea5c20ea20c018c629bf31fe0bf97655abe161018af7c308b50cf948fdc10e597dc5da47e0ff28e2bd87514c41bffdbf70f2968ebb1c97b6997e1a2e7268aa63ccea0a8127*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>

The issue occurs only if the Pega Web Mashup domain is a third-party domain.

Cause

As of 2024, all major browsers include a security feature that blocks third-party cookies by default. The default setting is Prevent cross site tracking. This setting prevents the embedding of any cross-domain content into the main web page.

If the top-level application domain is different from the Pega domain, the browser considers Pega Platform cookies to be third-party.

This change negatively affects all deployments using Pega Web Mashup, which require the following solution. For security reasons, application users are not recommended to disable the default security setting to use Pega Web Mashup.

Solution

    Select how you want to resolve the issue:

  • To resolve this issue without dynamic system settings and Pega Platform patch release updates, request a Pega Cloud custom domain name.
    For example: The https://clientsite.com/ top-level application embeds the Pega Web Mashup https://pega.clientsite.com/prweb/ custom domain in https://<cient_env>-.pegacloud.net.

    Because both applications are using the same domain but with different subdomains, the system considers the cookies to be first-party cookies.

  • Use a proxy configuration in which the web server that hosts the top-level application sends proxy requests to the Pega Cloud servers.
    For example: The https://clientsite.com/ top- level application embeds the Pega Web Mashup https://clientsite.com/prweb/ client web server proxy in https://<cient_env>-.pegacloud.net.
    Note: Configuring a proxy might be difficult if the web server is hosted in a secure layer, because creating a proxy for Pega Cloud from that layer might require firewall changes, such as changes to the <client_env>-internal.pegacloud.io Pega Cloud client-to-client VPN configuration.

    For more information, go to Pega Support.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us