I have an external website (non-Salesforce domain) where one of its page is exposing a Salesforce LEX public community page via iframe.

The community's setting "Clickjack Protection Level" is set to "Allow framing by any page", so the iframe response header "X-FRAME-OPTIONS" is set to "ALLOWALL".

The Salesforce public community page has an aura component that triggers a Salesforce flow.

This works fine in IE, but in Chrome because of the recent security change (SameSite by default cookies) it seems that cookie access (set or read) is disabled.

The iframe tag is ommiting the sandox attribute and in chrome after loading it throws the technical error:

"Please enable cookies in your browser to display this site."

The Salesforce standard cookie check is failing:

"
document.cookie = "cookieTest=x";
var cookieEnabled = document.cookie.indexOf("cookieTest=") != -1; document.cookie = "cookieTest=x; expires=Thu, 01-Jan-1970 00:00:01 GMT;";
if (!cookieEnabled) {
........ display error message to user
"
Has anyone faced the same issue or would know how to avoid this error message in chrome without changing the browser settings?

PS: I don't need any cross-origin cookie from the external website (exposing the community page via iframe)
Additionally, iframe would not be my first option but is an approach that was already agreed before I got involved and before changing approach I will have to discuss with the other party involved.

Thank you in advance



 

I'm trying to drop messages on an Azure message queue for processing.  I have been able to build the HttpRequest, but am receiving a 403 - failed to authenticate message from Azure when calling the REST API.  I am using the following code:

string storageKey = 'removedforprivacy';

    Datetime dt = Datetime.now();
    string formattedDate = dt.formatGMT('EEE, dd MMM yyyy HH:mm:ss') + ' UTC';
    string stringToSign = 'POST\n\napplication/xml\n\nx-ms-date:' + formattedDate + '\n' +
                                      '/myqueue/testqueue/messages';

    // Sign the request
    Blob temp = EncodingUtil.base64Decode(storageKey);
    Blob hmac = Crypto.generateMac('HMacSHA256', Blob.valueOf(stringToSign), temp);
    string signature = EncodingUtil.base64Encode(hmac);
    Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign))));

    // This ends up being the exact same as the console app
    system.debug('SIGNATURE==>SharedKey myqueue:' + signature);

    HttpRequest req = new HttpRequest();
    req.setMethod('POST');
    req.setHeader('content-type', 'application/xml');
    req.setHeader('x-ms-date', formattedDate);
    string authHeader = 'SharedKey myqueue:' + signature;
    req.setHeader('Authorization', authHeader);

    req.setEndpoint('https://myqueue.queue.core.windows.net/testqueue/messages');

    req.setBody('<QueueMessage><MessageText>' + EncodingUtil.base64Encode(Blob.valueOf('This is a test from salesforce')) + '</MessageText></QueueMessage>');

    system.debug(req);

    Http http = new Http();

    try
    {
        HTTPResponse res = http.send(req);

        system.debug(res.toString());
        system.debug(res.getStatus());
        system.debug(res.getStatusCode());

    }
    catch (system.CalloutException ce)
    {
        system.debug(ce);
    }

I created a small .NET console app to verify how to create the request and the connectivity.  Once that was working, I verified the signed signature used in the Authorization header is the same when created both in .NET and in Salesforce.  Has anyone else came across this?  Is there something you can see in the code I have written?  Is there a way for me to capture the HttpRequest that is being posted by Salesforce (something similar to fiddler would be great)?