Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

CORB error for Pega Web Mashups with Chrome SameSite cookies

SA-102227

Summary



Users working with Pega Web Mashup in the same session of Chrome with the secure cookie  attribute SameSite=None or SameSite=Strict experience the CORB error.


Error Messages


 

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://dfdsfdsfdsf/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=5a349852773b6ff0407b6155e29f74f818ff16e0152871e5e2a325db9609f5d2b9d02c2bda08d1edb76eba8fa5a36037124d532205b2a347bbc0662bdca3ac57667a930a05409d9c34ad1ec1153a6d44eada50c6bea81f759ed863d4918796dfb28016ebcec99aacb1d5b1664de8d486965609382d8f58cc5e3f9e8add948bc025a0bba80655fe5bee13d30f945838525f834242b30249ff66e194bbe182f2bbc813ac1160f86c9ef02d6ccd04d80e47695302a1baedfe116e37a18552e0ad24*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>


Steps to Reproduce



Using  Pega 7.2.1, develop a Pega Platform composite application with Pega Web Mashup in the same session of Chrome with the secure cookie attribute SameSite=None or SameSite=Strict.

 

Root Cause



A defect in Pegasystems’ code or rules

In February 2020, Google Chrome 80 implemented a new secure cookie model, changing the default value of the SameSite cookie attribute from SameSite=None to SameSite=Lax.

With this change, your Pega  7.2.1 applications using Pega Web Mashup are negatively affected and require the prescribed Resolution.


Resolution



To resolve the problem, choose the option that works best for your enterprise.

Option 1 Disable the Chrome flag for SameSite by default cookies

Set the SameSite by default cookies flag value to Disabled in Chrome 80 and later versions.
  1. In your Chrome browser session, address chrome://flags/ and Search for or find the flag, SameSite by default cookies.
  2. Select Disabled.
Option 2 Apply hotfix or upgrade to a Pega Platform Patch Release

If Option 1 is not feasible for your enterprise, perform the following steps:
  1. Apply HFix-60801.
  2. Create the following DSS: 
    Purpose: security/csrf/samesitecookieattributevalue 
    Owning Ruleset: Pega-Engine 
    Value: none
  3. If the Pega instance is running on Tomcat 7.0.88, then you must specify the following setting:
    prconfig/authentication/usepreauthenticationcookie/default = false 
    This setting applies to Pega instances using Tomcat 7.0.88, regardless of whether the application is on the premises or running in Pega Cloud.
  4. Restart the server for the DSS to take effect.
  5. Run the Pega Web Mashups over secure connections only (HTTPS).
    This solution works in mashups on secure HTTPS connections only.
See Troubleshooting CORB error for Pega Web Mashups with Chrome SameSite cookies .

 

Tags:

Pega Platform 7.2.1 Pega Platform Platform

Published October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve?
Suggest an edit
Report a Pega Community bug

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice