removal of luigiCookie

Question

removal of luigiCookie

Closed this issue 4 months ago · 4 comments

Description

I am getting chrome warnings:

Reading cookie in cross-site context may be impacted on Chrome 

Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. Chrome is moving towards a new experience that lets people make an informed choice with respect to third-party cookies.

and the affected cookie is your luigiCookie.

What are your plans with this issue?

Is it possible to remove this cookie and thus get rid of these problems?

Reasons

I am not sure how it would function in future chrome versions,
possibly chrome will show an accept cookie popup to users (?),
but it would be better to avoid this complication.

Answer 1 · 2024-09-24T08:48:45.000Z

Hello @norama,
thank you for creating an issue.
We have already prepared a luigi v3 with a change that removes the 3rd party cookie check. See here.
As you may have heard that Google is pausing plans to stop the 3rd party cookies, that means also we will not remove it for now, but we discussed your issue in our daily and came to the conclusion to provide an option to disable the 3rd party cookie check.

Best regards,
Johannes

Answer 2 · 2024-09-24T20:14:47.000Z

Hello @JohannesDoberer ,

thanks for your quick reaction and for this disable option.
Actually I consider using the luigi-container light weight wrapper,
are you planning to add this option there as well?

Also I am not sure how to use the authData prop, could you give me some example,
how to provide this and access from the client in the iframe?
I wonder if it is safe at all to propagate auth data through a prop visible in the page source.

Best Regards,
Nóra Máté

Answer 3 · 2024-09-26T11:28:25.000Z

Hello @norama,
we are currently investigating to disable it for LuigiContainer as well.

Regarding the authData:
The authData prop was a customer request and is currently available via an html attribute for LuigiContainer that render iframes. In fact, it is not very secure to store authData in the page source, but it was a request and we implemented it.
What we recommend is to use the context prop to store and pass authData to the micro frontend.
like:

 <luigi-container
        data-test-id="iframe-based-container-test"
        viewURL="./microfrontend.html">
 </luigi-container>

Set context via js

 const luigiContainer = document.querySelector('[data-test-id="iframe-based-container-test"]');
 luigiContainer.context = {"content":"some content", "authData": {"accessToken":"xyz"}};
 //and/or updating the context
 updateContextButton.addEventListener('click', () => {
   luigiContainer.updateContext({ "authData": {"accessToken":"xyz"} });
});

In your microfrontend you can read the authData like:

LuigiClient.addInitListener(ctx=>{
    console.log('init ctx', ctx)
});
LuigiClient.addContextUpdateListener(ctx=>{
    console.log('updated ctx', ctx)
});
//or
LuigiClient.getContext()

You can find more code examples here
I hope this answers your question.

Cheers,

Johannes

Answer 4 · 2024-09-27T02:33:41.000Z

Hello @JohannesDoberer,

thank you very much, I did not know how to use the context, but this pseudo code makes it clear,
it would be nice to have these short code examples inside the docs as well.
Now I have tried this and works just fine :-).

However, the context is visible in the browser dev console among the luigi-container element properties.
It would be good to have this hidden or at least encrypted - though encryption can be solved by the programmer as well,
just more comfortable if the framework solves this.

Thank you for your help.

Nóra