CSRF token validation failed - Chrome - SameSite=None and Secure missing
florianstephan01 opened this issue · 1 comments
Since a few days i have problems when running UI5 Apps locally (via ui5 serve) in Chrome. The backend OData communication fails as the CSRF token can't be validated. Looking into the network, i could observe that Chrome is not sending the received '
SAP_SESSIONID...' cookie - furthermore in the set-cookie response i could identify that the 'SameSite=None' and 'Secure' property is missing in comparison to another scenario were we are directly using node/express which is still working. In FireFox and Safari the issue does not occur - seems that they do not care about the SameSite property.
Expected Behavior
Retrieved cookies are also set and sent out in Chrome when using ui5 serve for local testing. The CSRF token validation works.
Current Behavior
The CSRF token validation fails, as Chrome is not sending out the SAP_SESSION cookie ... the question is, why are the SameSite=None' and 'Secure' properties missing in the set-cookie response when using ui5 client tools.
Steps to Reproduce the Issue
As this issue occurs with a SAP internal system, please contact me for further details.
Context
- UI5 Module Version: 3.9.0
- Node.js Version: v18.15.0
- npm Version: 9.5.0
- OS/Platform: MacOS
- Browser (if relevant): Chrome Version 121.0.6167.160
Log Output / Stack Trace
{...}
Hi and thanks for reaching out.
It sounds like you are using some sort of proxy middleware. Please note that the UI5 Tooling project does not provide such functionality. In case you are using @sap/ux-ui5-tooling, please refer to the SAP Fiori tools team via the SAP Community Website: https://community.sap.com/topics/fiori-tools
You can also find related documentation and support channels for Fiori tools here: https://help.sap.com/viewer/product/SAP_FIORI_tools/Latest/en-US
I'll close this issue as it is not related to this project.