Closed Bug 1712018 Opened 4 years ago Closed 3 years ago

Salesforce errors related to browsers blocking cross-domain cookies

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

References

Details

Attachments

(3 files)

Screen Shot 2021-11-08 at 11.21.45 AM.png
306.88 KB, image/png
Details
Screen Shot 2021-11-08 at 11.22.17 AM.png
366.11 KB, image/png
Details
Screen Shot 2022-03-17 at 9.41.31 AM.png
688.19 KB, image/png
Details

When people are running Salesforce on a browser with third-party cookie checking enabled, Salesforce displays this error message:

We can't display this page because your browser blocks cross-domain cookies. Try again with a different supported browser.

If you run into this error in the CCADB there is no need to change browsers. Making one of the following changes should resolve the error in your browser:

  • Add the servers *.salesforce.com, *.force.com, and *.visualforce.com to your browser's cookies exception list
  • Configure P3P for your browser
  • Change your browser settings to allow third-party cookies

Reference: https://help.salesforce.com/articleView?id=sf.pages_browser_security_settings.htm&type=5

We should check that Lightning has the correct Cookies settings

Related: Bug #1620104

Status: NEW → ASSIGNED
Whiteboard: [ccadb-enhancement]
Summary: Change errors related to browsers blocking cross-domain cookies → Salesforce errors related to browsers blocking cross-domain cookies

Also see https://trailblazer.salesforce.com/issues_view?id=a1p4V000002BRMXQA4
There is a similar problem that Salesforce is fixing in regards to cross-origin iframe JS dialogs served from 3rd party non-Salesforce owned domains that use javaScript alert(), confirm(), or prompt() in their functionality. This impact may appear with buttons that were previously functioning as expected, visualforce pages/components, or other content not performing as expected.

Salesforce updated their help page about cross-domain cookies...

Depending on your browser and browser settings, you may see an error similar to the following on some pages:

Your browser privacy settings have prevented this page from showing some content. To display this content
you need to change your browser privacy settings to allow "Third Party" cookies from the domain
MyDomainName--PackageName.vf.force.com. Alternatively, if your browser is Internet Explorer, you can
add MyDomainName--PackageName.vf.force.com to your trusted sites list in the security options page.

If you run into this error in the CCADB making one of the following changes in your browser should resolve the error:

  • Add the servers *.salesforce.com, *.force.com, and *.visualforce.com to your browser's cookies exception list
  • Configure P3P for your browser
  • Change your browser settings to allow third-party cookies

I just reset my Firefox nightly user profile, and I am getting this message on the CCADB home page:
We can't display this page because your browser blocks cross-domain cookies. Try again with a different supported browser.

So I guess Salesforce has not updated the error that they are displaying.

This is due to some form of "Tracking Protection". I don't know if Salesforce domains are on the "tracking" list so it's probably due to "Total Cookie Protection" ("dynamic First Parity Isolation").

Kathleen mentioned Chrome folks sometimes hit this problem too, so it could well be the change to "SameSite=Lax by default"

If SameSite is the problem, changing to another modern browser isn't going to help: the IETF has agreed to an update to the cookie spec and all browsers are moving to have SameSite=Lax by default.

Salesforce needs to add "SameSite=None" to their cookies so that it will work in browsers that honor the updated cookie standard. In order to set SameSite attributes you also have to be using a Secure attribute.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

You could test this by changing the pref network.cookie.sameSite.laxByDefault to false and see if that fixes things (probably want to log out and back in against so everything is set using the new values)

The other potential cause of this is "Total Cookie Protection" but that should only happen if you've set Tracking Protection to "Strict" mode. Easy to check by changing it back to "Standard", and by making sure you're not using private browsing.
https://blog.mozilla.org/security/2021/06/01/total-cookie-protection-in-private-browsing/

(there are some individual prefs to tweak behavior, but best not to muck with it and stick with the overall "Strict/Standard" switch)

Dan, Thanks for your help on this. After doing some more testing I found that I am only running into the problem on our previous CCADB sandbox. The problem no longer occurs in CCADB production and a very new CCADB sandbox. So I believe that Salesforce has updated their SameSite settings.

I will close this bug, because I think that Salesforce has fixed their SameSite settings so that newer instances of Salesforce no longer have this problem.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

I've been using CCADB production all day today on Firefox nightly, with no problems. Then at 2:50pm all of a sudden I started getting the message from Salesforce: "We can't display this page because your browser blocks cross-domain cookies. Try again with a different supported browser."

I will try this:

You could test this by changing the pref network.cookie.sameSite.laxByDefault to false and see if that fixes things (probably want to log out and back in against so everything is set using the new values)

Note that I currently have Browser Privacy set to Standard, and no cookie exceptions set.

(In reply to Kathleen Wilson from comment #9)

I will try this:

You could test this by changing the pref network.cookie.sameSite.laxByDefault to false and see if that fixes things (probably want to log out and back in against so everything is set using the new values)

I set network.cookie.sameSite.laxByDefault to false then restarted Firefox, and CCADB production stopped displaying the error messages.

Then to see if I can reliably recreate the error, I set network.cookie.sameSite.laxByDefault back to true and restarted Firefox, and I have not been able to get the error message to display again.

Note: I haven't used private browsing today. I cleared recent history for today and restarted Firefox Nightly. I still have not been able to reproduce the problem.

Update after chatting with Kathleen: when she did clear-recent-history in comment 10 she didn't include 'offline website data', which possibly was used to restore cookie values ( ¡speculation alert! ). She tried again making sure to nuke all the data and again could reproduce the log-in problem when network.cookie.sameSite.laxByDefault was set to true.

My guess about comment 9 ( ¡speculation alert! ) is that Kathleen had some old cookies that were set without the SameSite=lax attribute, so that production database continued to work, and that earlier today the session token or some such cookie expired. When it was replaced it picked up the SameSite=lax default and then she ran into the problem.

Salesforce's advice in comment 0 is designed for very old browsers, and isn't going to work for the SameSite=lax problem (at least, not in Firefox). They need to update that advice, and update their code to work in a SameSite=Lax world.

If you run into this error in the CCADB there is no need to change browsers. Making one of the following changes should resolve the error in your browser:
[1] Add the servers *.salesforce.com, *.force.com, and *.visualforce.com to your browser's cookies exception list
[2] Configure P3P for your browser
[3] Change your browser settings to allow third-party cookies

I changed bullets to numbers in the above so I could reference them below:

  1. This advice solves the problem of blocking 3rd party cookies, but it doesn't change the attributes on a cookie and therefore won't solve the SameSite-lax-by-default issue.
  2. MS removed support for P3P from Windows 10 more than 5 years ago and no one else supported it.
  3. Again, this only helps if 3rd party cookie blocking was the only problem. It's a simpler but global version of #1

For users who do block all 3rd party cookies, or use a browser with some kind of tracking protection that blocks 3rd party cookies, the advice in bullets 1 and 3 would be useful. But SalesForce also needs to explicitly support SameSite to get SameSite=None behavior. In Chrome there is no longer a way to turn off the "SameSite=lax by default" behavior since Chrome 94 , and presumably the same in Edge/Opera/Brave.

Reopening this bug, because the error message keeps randomly happening in CCADB production, maybe when cookies get reset or expire.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Update with information from Kathleen's experience:
Although Kathleen did see console warnings about cookies with SameSite issues when she logged in, those appeared to be on unimportant-looking (to me) "CookieConsent" cookies. Kathleen has now seen this problem both with network.cookie.sameSite.laxByDefault set to true and set to false so that setting doesn't seem to be the problem. It may still be related to misuse of "SameSite" cookies, but since it happens when laxByDefault is turned off in Firefox (not an option in Chrome anymore) that would make it an explicit use on Salesforce's end.

Either setting, she can log into and use the application just fine. At some time later she comes back to use it, and her next action triggers the cookie warning. She can then open a new window on the site and that works fine.

Since there are multiple origins involved I'm guessing there's OAuth or some equivalent being used for the login. Typically the authorization token needs to be refreshed every so many hours and something is going wrong there. Someone will have to look at a network log to figure this out. Could well still be SameSite related: maybe opening a new window redirects through the Auth domain (so SameSite=lax cookies are sent) while when you stay on the same page it tries to do it in the background with fetch() where they aren't. But it could be other things, too. No point spending more time guessing -- check out a log!

Since it affects multiple browsers with independent engines, clearly this is something Salesforce should be fixing.

The problem occurs when the user has strict settings for their browser usage, including blocking cross-domain cookies and turning on enhanced tracking protection. It looks like Salesforce has partially fixed the problems, but users may run into the error message at unexpected times.

For now, the common cross-browser solution is for users to: Add salesforce.com, force.com, and visualforce.com to their browser's cookies exception list.

It would be ideal for Salesforce to:

  1. Change their error message
    from
    We can't display this page because your browser blocks cross-domain cookies. Try again with a different supported browser.
    to
    Your browser is configured to block cross-domain cookies. You can either update your browser settings to be more lenient, or add salesforce.com, force.com, and visualforce.com to your browser's cookies exception list.

  2. Update their help page, https://help.salesforce.com/articleView?id=sf.pages_browser_security_settings.htm&type=5

SameSite appears to have been a wild goose chase.

Firefox Nightly is configured to turn on "Total Cookie Protection" (aka Dynamic First-Party Isolation) for everyone. In Release versions this is turned on for users who use the "Strict" setting for Enhanced Tracking Protection -- this will also be a problem for those people. Total Cookie Protection doesn't technically block 3rd party cookies, but it will more or less look the same from the point of view of two related domains trying to work together as in this case.

Working solutions for Firefox users that hit this problem:

Since different browsers are taking different privacy approaches--and Chrome is even talking about eliminating 3rd party cookies entirely--Salesforce should look into using the Storage Access API to enable the cookie access they need. Each browser will implement that API so that it works equivalently no matter what their privacy/anti-cookie approach is. This is perhaps a longer range solution as the standard isn't technically approved, and the API is not yet available in Chrome (by default, but then again you don't yet need it on Chrome because it doesn't do tracking protection)

Confirming our findings -- The Salesforce message randomly appeared again in CCADB production. I turned off Enhanced Tracking Protection, and the CCADB started working again.

Filed Bug #1740329 about this.

See Also: → 1740329

I'm going to close this bug, since there is another bug tracking the communication with Salesforce, and there isn't anything else we can do about it.

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → DUPLICATE

This problem now happens in Firefox release (98).
Attaching screen shot.

Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

I did a bunch of testing of CCADB on Firefox this morning, and only found one way that I can reproduce the problem now... I can now only reproduce the problem using a Salesforce enterprise license on Firefox nightly with a new profile. Interestingly, if I then login to the CCADB using a CA community license, the error will also go away for my Salesforce enterprise license.

I'm going to close this bug again, because (based on my testing) most CCADB users will not see this error message anymore.

Status: REOPENED → RESOLVED
Closed: 4 years ago3 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: