Iframe "URL view" works in Firefox, not Chrome

Hello all!

I have a wiki (Mediawiki v1.35.1) that works when unframed – that is, when not embedded as an iframe URL view in Shotgun.

When embedded in SG, the wiki login form:

…works with:

  • Firefox, 85.0 Linux
  • Firefox, 86.0 Windows

…and does NOT work with:

  • Chrome, 89.0 Windows

Specifically: “Not working” means authentication is blocked and this error is displayed:

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form."

It seems there is clickjacking defense involved.

My Apache (v2.4.6) headers:

Header set Access-Control-Allow-Origin "*"
Header set Content-Security-Policy "frame-ancestors 'self' *.shotgunstudio.com"
Header unset X-Frame-Options

My wiki LocalSettings.php settings:

$wgEditPageFrameOptions = false;
$wgApiFrameOptions =false;
$wgCookiePrefix = "wiki";
$wgBreakFrames = false;

Other community posts I’ve pondered

  1. URL widget with locally hosted sites
  2. Embedding files and versions in notes

So, I suspect this may be a MediaWiki issue, and not strictly a Shotgun issue, but it seems that a few community members have enountered something like this. But I am especially puzzled by the difference between Firefox and Chrome.

Any ideas on how to fix this?


Ah! Someone gave me the answer!

Chrome recently applied a new default of " lax " to the " SameSite " parameter of cookies. Lax was not lax enough; I needed to set SameSite=none .

Added to LocalSettings.php of MediaWiki: