Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

CORB error for Pega Web Mashups with Chrome SameSite cookies



Users working with Pega Web Mashup in the same session of Chrome with the secure cookie attribute SameSite=None or SameSite=Strict experience the CORB error.

Error Messages


Cross-Origin Read Blocking (CORB) blocked cross-origin response https://xyz/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=5a349852773b6ff0407b6155e29f74f818ff16e0152871e5e2a325db9609f5d2b9d02c2bda08d1edb76eba8fa5a36037124d532205b2a347bbc0662bdca3ac57667a930a05409d9c34ad1ec1153a6d44eada50c6bea81f759ed863d4918796dfb28016ebcec99aacb1d5b1664de8d486965609382d8f58cc5e3f9e8add948bc025a0bba80655fe5bee13d30f945838525f834242b30249ff66e194bbe182f2bbc813ac1160f86c9ef02d6ccd04d80e47695302a1baedfe116e37a18552e0ad24*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>


Steps to Reproduce


Using  Pega 7.3, develop a Pega Platform composite application with Pega Web Mashup in the same session of Chrome with the secure cookie attribute SameSite=None or SameSite=Strict.

Root Cause

A defect in Pegasystems’ code or rules

In February 2020, Google Chrome 80 implemented a new secure cookie model, changing the default value of the SameSite cookie attribute from SameSite=None to SameSite=Lax.

With this change, your Pega applications using Pega Web Mashup are negatively affected and require the prescribed Resolution.


To resolve the problem, choose the option that works best for your enterprise.

Option 1 Disable the Chrome flag for SameSite by default cookies

Set the SameSite by default cookies flag value to Disabled in Chrome 80 and later versions.
  1. In your Chrome browser session, address chrome://flags/ and Search for or find the flag, SameSite by default cookies.
  2. Select Disabled.
Option 2 Apply hotfix or upgrade to a Pega Platform Patch Release

If Option 1 is not feasible for your enterprise, perform the following steps:
  1. Apply HFix-60724.
  2. Create the following DSS:
    Purpose: security/csrf/samesitecookieattributevalue
    Owning Ruleset: Pega-Engine
    Value: none
  3. If the Pega instance is running on Tomcat 7.0.88, then you must specify the following setting:
    prconfig/authentication/usepreauthenticationcookie/default = false 
    This setting applies to Pega instances using Tomcat 7.0.88, regardless of whether the application is on the premises or running in Pega Cloud.
  4. Restart the server for the DSS to take effect.
  5. Run the Pega Web Mashups over secure connections only (HTTPS).
    This solution works in mashups on secure HTTPS connections only..
See Troubleshooting CORB error for Pega Web Mashups with Chrome SameSite cookies .


Published October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us