SameSite=None w/ Secure Breaking iFrame in IE11

问题

With the recent changes it seems that SameSite cookie attributes are throwing a wrench into my website now. A cross-browser iframe that was working before on my site is now broken - even with the SameSite=None; Secure being passed through the iFrame in the response header.

I've seen very different reports from people saying Windows 7 doesn't support SameSite=none. Others saying the Secure is breaking or not breaking it. But even the current Microsoft documentation doesn't lay out exactly how Win7 IE11 should react to SameSite=None.

At this point I'm looking for some tips or tricks from anyone who could assist. I've done everything I can think of. This worked before and now suddenly is blocking out the iFrame and throwing a 500 error. Could the order of the set-cookie be causing this?

From some browser testing I've found the following:

Windows 10 - IE11 broken, Edge broken, Edge(beta) works

Windows 8.1 - IE11 works, Edge(beta) works

Windows 8 - IE11 broken, Edge(beta) works

Windows 7 - IE11 broken, No Edge

The Set-Cookie response header:
Set-Cookie MySitePersistence=436457226.47873.0000; path=/; httponly; secure; SameSite=none; Secure

I tried targeting IE directly as a rewrite preCondition using
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="^.*MSIE ([0-9]{1,}[\\.0-9]{0,})*.*$" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="^.*Trident/.*rv:([0-9]{1,}[\\.0-9]{0,})*.*$" negate="true" />

回答1:

The issue occurs because Asp.NET_SessionID cookie was not being sent always due to new changes in cookies and the cookie now had a SameSite=Lax attribute.

You could set the SameSite property for the session cookie to “None” by adding this in web.config:

<system.web>     
     <sessionState cookieSameSite="None" />     
</system.web> 

This with the outbound rules (SameSite=None; Secure) will work. You could refer to this simiar thread.

More information to reference:

(1) SameSite in code for your ASP.net applications

(2) SameSite=Lax in the new world

(3) SameSite cookie updates in ASP.net, or how the .Net Framework from December changed my cookie usage

来源：https://stackoverflow.com/questions/60193497/samesite-none-w-secure-breaking-iframe-in-ie11