Cross-Domain Cookies
Cookies are one of the methods available for adding a persistent state to websites and they are essential for running Oxygen XML Web Author.
In an effort to enforce more privacy-preserving defaults, modern browsers have changed the default behavior of cookies. They will no longer be set for cross-domain requests by default.
Cross-Domain Cookies and Oxygen XML Web Author
When Oxygen XML Web Author is embedded in an iframe and served from a hostname that is different from the parent web application, the default cookies behavior will prevent it from setting any cookies.
If serving Oxygen XML Web Author on a hostname that is different
from the parent web application is unavoidable, you can force cookies to be set with the
SameSite=None
attribute and the Secure
attribute (while
also deactivating the "X-Frame-Options" header that is set to "SAMESITE" by default) by
setting the force.cookies.samesite.none
option to
true
.Note:
The
SameSite=None
cookie attribute can only be set when the
Secure
attribute is set, so you will be forced to also serve Oxygen XML Web Author over HTTPS.