View Issue Details

IDProjectCategoryView StatusLast Update
16769Bug reportsSecuritypublic2021-01-14 16:01
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.24.2 
Fixed in Version4.3.22 
Summary16769: Unable to embed in iframe (using config.php) for Chrome
DescriptionCurrently : allow iframe survey can work except on new Chrome version

cookies inside iframe in chrome need
1. samesite to None
2. secure to true

It can be done for crfCookies but not for session cookie
Steps To ReproduceActivate IFrame embedding allowed to ON (this rarely work, never for new Chrome)

Check with chrome CRSF issue

Update config.php

```
        'session' => array (
            'sessionName' => "LimeSurveyTest",
            'cookieParams' => array(
                'secure' => true,
                'sameSite' => 'none',
            ),
        ),
```

and
```
        'request' => array(
            'enableCsrfValidation'=>true,
            'csrfCookie' => array(
                'sameSite' => 'none',
                'secure' => true,
            ),
```

(you need https)

Check with firefox (default cofnig) : seems OK
Check with chrome : Session issue


Additional InformationReason : need Yii update to have samesite available in config for session cookie

https://github.com/yiisoft/yii/commit/566cae7fd94cffb8a20771949c8a97a27bd237f8#diff-652721134484aa3b5f3d6fe36ddc8db5b02f315e1ea047974e40dec1cc0675fb

I check with replace just this function : it work (with my chrome and my firefoix)


See
https://bugs.chromium.org/p/chromium/issues/detail?id=1062162
https://blog.heroku.com/chrome-changes-samesite-cookie

For information : null for chrome mean Lax, null for Firefox : None
TagsNo tags attached.
Complete LimeSurvey version number (& build) 3.24.2
I will donate to the project if issue is resolvedNo
Browsernot relevant ?
Database & DB-Versionnot relevant?
Server OS (if known)not relevant ?
Webserver software & version (if known)not relevant ?
PHP Versionnot relevant ?

Activities

DenisChenu

DenisChenu

2020-10-21 15:41

developer   ~60335

Check here : http://www.gsill.net/example/check/
DenisChenu

DenisChenu

2020-10-21 15:45

developer   ~60336

About settings : since config is loaded before read config , i think it's hard to make it dynamically according to ** IFrame embedding allowed ** but we can document it.
DenisChenu

DenisChenu

2020-10-21 15:53

developer   ~60337

@ollehar : need advice …

To fix this issue : need https://github.com/yiisoft/yii/commit/566cae7fd94cffb8a20771949c8a97a27bd237f8#diff-652721134484aa3b5f3d6fe36ddc8db5b02f315e1ea047974e40dec1cc0675fb
But it's only in Yii1 master, not in any release …

Did i move to master for other fix : https://github.com/yiisoft/yii/pull/4306 for example

Or just apply patch ?

Denis
ollehar

ollehar

2020-10-21 15:54

administrator   ~60338

Apply manually? Then we update Yii when released.
DenisChenu

DenisChenu

2020-10-21 15:55

developer   ~60339

Milstone for next release : https://github.com/yiisoft/yii/milestone/15
DenisChenu

DenisChenu

2020-10-21 15:56

developer   ~60340

Oki,

Thank you.
DenisChenu

DenisChenu

2020-10-21 16:55

developer   ~60342

Screenshot of cookies settings
FF VS Chrome
DenisChenu

DenisChenu

2020-10-21 16:57

developer   ~60343

https://github.com/LimeSurvey/LimeSurvey/pull/1629
DenisChenu

DenisChenu

2020-10-22 11:30

developer   ~60354

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30643
DenisChenu

DenisChenu

2020-10-22 12:09

developer   ~60358

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30645
DenisChenu

DenisChenu

2020-10-22 12:22

developer   ~60359

Clone
Mazi

Mazi

2021-01-14 15:59

partner   ~61542

Last edited: 2021-01-14 16:01

View 5 revisions

Here comes an adjusted config.php file with the correct settings mentioned above (note the difference of "samesite" and "sameSite"!):

return array(
    'components' => array(
        'db' => array(
            'connectionString' => 'mysql:host=localhost;port=3306;dbname=xxx;',
            'emulatePrepare' => true,
            'username' => 'xxx',
            'password' => 'xxx/&',
            'charset' => 'utf8mb4',
            'tablePrefix' => 'lime_',
        ),
         'session' => array (
            'sessionName'=>'LS-MORCEARBZKUGPRIQ',
            'cookieParams' => array(
                'secure' => true,
                'samesite' => 'none',
            ),
                
            // Uncomment the following lines if you need table-based sessions.
            // Note: Table-based sessions are currently not supported on MSSQL server.
            // 'class' => 'application.core.web.DbHttpSession',
            // 'connectionID' => 'db',
            // 'sessionTableName' => '{{sessions}}',
         ),
        'urlManager' => array(
            'urlFormat' => 'path',
            'rules' => array(
                // You can add your own rules here
            ),
            'showScriptName' => true,
        )
    ),
    // For security issue : it's better to set runtimePath out of web access
    // Directory must be readable and writable by the webuser
    // 'runtimePath'=>'/var/limesurvey/runtime/'
    // Use the following config variable to set modified optional settings copied from config-defaults.php
    'config'=>array(
    // debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
    // then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
    // on your webspace.
    // LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
        'debug'=>0,
        'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
        // Update default LimeSurvey config here
        'request' => array(
            'enableCsrfValidation'=>true,
            'csrfCookie' => array(
                'samesite' => 'none',
                'secure' => true,
            ),
        )
    )
);

Related Changesets

LimeSurvey: 3.x-LTS e1459a65

2020-10-21 16:52:08

DenisChenu

Details Diff
Fixed issue 16769: Unable to embed in iframe (using config.php) for Chrome
Dev: apply patch from Yii1 before Yii 1.1.23
Dev: see https://github.com/yiisoft/yii/pull/4313/files
Affected Issues
16769
mod - framework/web/CHttpSession.php Diff File

LimeSurvey: master 40b57dcd

2020-10-21 16:52:08

DenisChenu

Details Diff
Fixed issue 16769: Unable to embed in iframe (using config.php) for Chrome
Dev: apply patch from Yii1 before Yii 1.1.23
Dev: see https://github.com/yiisoft/yii/pull/4313/files
Dev: cherry-picked
Dev: session can be set with samesite:None checked
Affected Issues
16769
mod - framework/web/CHttpSession.php Diff File

LimeSurvey: 3.x-LTS 3c5028f2

2020-10-22 11:30:44

ollehar


Committer: GitHub Details Diff
Merge pull request #1629 from Shnoulle/3X_allowChromeIframeViaConfig

Fixed issue 16769: Unable to embed in iframe (using config.php) for Chrome
Affected Issues
16769
mod - framework/web/CHttpSession.php Diff File

Issue History

Date Modified Username Field Change
2020-10-21 15:41 DenisChenu New Issue
2020-10-21 15:41 DenisChenu Note Added: 60335
2020-10-21 15:42 DenisChenu Assigned To => DenisChenu
2020-10-21 15:42 DenisChenu Status new => assigned
2020-10-21 15:45 DenisChenu Note Added: 60336
2020-10-21 15:53 DenisChenu Note Added: 60337
2020-10-21 15:54 ollehar Note Added: 60338
2020-10-21 15:55 DenisChenu Note Added: 60339
2020-10-21 15:56 DenisChenu Note Added: 60340
2020-10-21 16:55 DenisChenu Note Added: 60342
2020-10-21 16:55 DenisChenu File Added: Capture d’écran du 2020-10-21 16-54-01.png
2020-10-21 16:55 DenisChenu File Added: Capture d’écran du 2020-10-21 16-54-50.png
2020-10-21 16:57 DenisChenu Assigned To DenisChenu => cdorin
2020-10-21 16:57 DenisChenu Status assigned => testing
2020-10-21 16:57 DenisChenu Note Added: 60343
2020-10-22 11:30 ollehar Changeset attached => LimeSurvey 3.x-LTS 3c5028f2
2020-10-22 11:30 DenisChenu Changeset attached => LimeSurvey 3.x-LTS e1459a65
2020-10-22 11:30 DenisChenu Note Added: 60354
2020-10-22 11:30 DenisChenu Assigned To cdorin => DenisChenu
2020-10-22 11:30 DenisChenu Resolution open => fixed
2020-10-22 11:58 DenisChenu Status testing => resolved
2020-10-22 11:58 DenisChenu Fixed in Version => 3.24.2
2020-10-22 12:09 DenisChenu Changeset attached => LimeSurvey master 40b57dcd
2020-10-22 12:09 DenisChenu Note Added: 60358
2020-10-22 12:22 DenisChenu Status resolved => closed
2020-10-22 12:22 DenisChenu Fixed in Version 3.24.2 => 4.3.22
2020-10-22 12:22 DenisChenu Note Added: 60359
2021-01-14 15:59 Mazi Note Added: 61542
2021-01-14 15:59 Mazi Note Edited: 61542 View Revisions
2021-01-14 16:01 Mazi Note Edited: 61542 View Revisions
2021-01-14 16:01 Mazi Note Edited: 61542 View Revisions
2021-01-14 16:01 Mazi Note Edited: 61542 View Revisions