Support Article
PegaChat does not work with CSRF SameSite:Lax
SA-99111
Summary
On building a Pega Chat application on CSSelfService and hosting the index HTML downloaded from the web Chatbot configuration portal, PRSecurityException occurs. The same error occurs on opening the web Chatbot generated Mashup code.
The template operator has access to the CSSelfService application.
Error Messages
com.pega.pegarules.pub.context.PRSecurityException: Security violation attempting to access requestor
Steps to Reproduce
- Build an application on the CSSelfService.
- Create a Web Chatbot and generate a Mashup code.
- Open the Mashup code in HTML
Root Cause
The Cross-Site Request Forgery setting for 'Enable samesite cookie attribute' was set to LAX.
This setting must not be set when a Mashup is used because after authentication the Pega-RULES cookie value contains the SameSite:Lax attribute. The Mashup is displayed in an iFrame. The SameSite:Lax attribute does not update the current value of the cookie in the browser and only the top-level page navigation does. The next request still contains the Pre-Authentication cookie which caused the Security exception and prevented the Mashup from displaying.
Resolution
In Cross-Site Request Forgery, while using any Mashup, the 'Enable samesite cookie attribute' option must not be selected.
In the case where 'Enable CSRF token check' is enabled, select the 'Enable referrer check' option with a valid referral list in the System > Settings > Cross-Site Request Forgery landing page.
Published January 20, 2020 - Updated December 2, 2021
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.