You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current behavior:
the session id will not be saved in the cookie because sameSite is omitted, which defaults to Lax
This default behavior is introduced recently in almost all recent browsers and Webviews (this will prevent embeding odoo in a custom app with native behavior ): https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Expected behavior:
there should be an option to enable session id in cookies without having to host my own odoo. I propose that we do the following in odoo/http.py:
@functools.wraps(werkzeug.Response.set_cookie)
def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=False, httponly=False, samesite=None, cookie_type='required'):
if request.db and not request.env['ir.http']._is_allowed_cookie(cookie_type):
expires = 0
max_age = 0
samesite_override = self.env['ir.config_parameter'].sudo().get_param('website.cookie_samesite_override')
if samesite_override:
samesite = samesite_override
secure_override = self.env['ir.config_parameter'].sudo().get_param('website.cookie_secure_override')
if secure_override:
secure = secure_override
werkzeug.Response.set_cookie(self, key, value=value, max_age=max_age, expires=expires, path=path, domain=domain, secure=secure, httponly=httponly, samesite=samesite)
This way, the default behavior will be as is today, with giving an option to Saas user an option to change it in system parameters if they need it.
The same issue was fixed for third-party payment, but not for iframe: #72267
Video/Screenshot link (optional):
Support ticket number submitted via odoo.com/help (optional):
Side note: there is a bug in V16 when using an iframe, make sure to apply the following correction to web.assets_frontend_lazy.min.js in attachment (lol, I was surprised to see V16 launch with this bug): 7210c50
The text was updated successfully, but these errors were encountered:
Impacted versions:
V16 Saas and all other versions
Steps to reproduce:
1- make an html page that has an iframe, something like this:
2- in console, run the following in the iframe, which should set the session id in the cookie (update db, login, and password):
Current behavior:
the session id will not be saved in the cookie because sameSite is omitted, which defaults to Lax
This default behavior is introduced recently in almost all recent browsers and Webviews (this will prevent embeding odoo in a custom app with native behavior ):
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Expected behavior:
there should be an option to enable session id in cookies without having to host my own odoo. I propose that we do the following in odoo/http.py:
Change 'set_cookie' From:
To:
This way, the default behavior will be as is today, with giving an option to Saas user an option to change it in system parameters if they need it.
The same issue was fixed for third-party payment, but not for iframe:
#72267
Video/Screenshot link (optional):
Support ticket number submitted via odoo.com/help (optional):
Side note: there is a bug in V16 when using an iframe, make sure to apply the following correction to web.assets_frontend_lazy.min.js in attachment (lol, I was surprised to see V16 launch with this bug): 7210c50
The text was updated successfully, but these errors were encountered: