iframes in Local Page Broken in Vivaldi 3.3



  • I have a local HTML page (loaded via file://) which uses iframes to show portions of four external pages (for controlling a heat pump system).

    2020-09-04 1936 GSHP Status R.jpg

    The iframes look like this:

    <div class=thermostat>
    	<iframe class=thermostat
    		src="https://symphony.mywaterfurnace.com/thermostat/?gwid=...#Thermostat"
    	></iframe>
    </div>
    
    <div class=equipment>
    	<iframe class=equipment
    		src="https://symphony.mywaterfurnace.com/?gwid=...#equipment_summary"
    	></iframe>
    </div>
    

    The page works fine in Firefox 80.0.1 and in Edge 85.0.564.51. It worked in Vivaldi 3.2 if I turned OFF "Block Third-Party Cookies" (which I don't like to do). With the same setting in Vivaldi 3.3, the remote site refuses to log me in, probably because it can't set cookies.

    2020-09-16 0829 GSHP Login R.jpg

    Normally a page with iframes involves three domains: the client (browser), the page's server, and the server referenced by the iframe. Presumably Firefox and Edge consider a local page loaded by file:// to be in the same domain as the client (browser). So for iframes there is no third party involved, and the iframe's referenced page can set cookies in the client as if it had been opened directly. I think Vivaldi should do the same thing.

    I have tried to work around the problem using various iframe attributes (e.g. referrerpolicy and sandbox), with no success. Does anyone know of a workaround?


  • Moderator

    @GJS May the the mixed content from local file and remote server protocol mix is not allowed anymore.

    Check Developer Tools (F12)
    Console for errors



  • @GJS This is likely due to the new strict samesite cookies handling in Chrome 84 and newer.

    See:
    https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
    https://medium.com/trabe/cookies-and-iframes-f7cca58b3b9e
    https://blog.heroku.com/chrome-changes-samesite-cookie
    https://web.dev/samesite-cookie-recipes/

    One idea though, try adding the domain to the "Always allow" override list here:
    chrome://settings/content/cookies



  • Thank you for the suggestions.

    @Gwen-Dragon -- The only issues listed in the Developer Tools Console are:

    ā€¢ Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute.
    ā€¢ Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute.

    Cookie attributes are set by the remote server, which I have no control over.

    @Pathduck -- Setting "Always allow" for the iframe's src site did not help. The links you referenced are informative, but they all describe requirements on the server, which I don't have access to, and assume that the iframe is being served from another site. I have not found any discussion about an iframe inside a local document.

    MS Edge on my system uses Chrome 85.0.4183.102 and handles the local page successfully with no special treatment. That implies to me that another browser could use the same methods. My gut feeling is that the browser must treat an iframe inside a local HTML file as a same-site connection, but I have not been able to find any discussion or examples.

    I wrote a local page with an iframe to print out domain information. The output from Running it in MS Edge does not give me any clues:

    Window.Location = 'file:///C:/Data/HTML/ShowDomain.html'
    Window.Domain   = ''
    
    Document.Location = 'file:///C:/Data/HTML/ShowDomain.html'
    Document.Domain   = ''
    
    iframe.Location = 'about:blank'
    iframe.Domain   = ''
    

  • Moderator

    @GJS There are internal flags in Vivaldi which could be used to override the cross-site security for cookies. But that is not recommended by Vivaldi team as it could result in stealing login data.
    https://stackoverflow.com/questions/59030096/how-to-disable-same-site-policy-in-chrome

    Or ā€¦ May be if all requests (the page and the iframes!) are over HTTPS it could work.


  • Moderator

    @GJS Edge? Perhaps Microsoft ChromeEdge has got its own patches or a bug. šŸ˜‰

    Would be interesting to know if Chromium 85 from Wolyss has teh same issue as Vivaldi 3.3
    If it works in Chromium but not in Vivaldi, that could a bug. Then you can send a bugreport to Vivaldi devs with a reproducable testcase(!).



  • @Gwen-Dragon - I created a test page. It works in Firefox (Gecko) and Edge (Chromium). It fails in Chromium browser, Google Chrome, and Vivaldi. I don't know how to proceed further on this track. Should I:

    • Make a change request for Vivaldi?
    • Plead my case with the Chromium developers?
    • Try to get the remote site to change their cookie parameters? (Not likely to succeed, and it wouldn't help with other sites.)

    For now, I am using a four-tab tiled grid in Vivaldi. It basically works, but is fiddly. All panels have to use the same zoom scale. I have to adjust the tile sizes and scroll positions after each startup. To check for session timeout, the document in each tab reloads itself every 25 minutes. That shifts the scroll position a little each time, so eventually I have to readjust them. I'm looking into JavaScript to periodically restore the scroll positions.

    2020-09-21 1617 GSHP Tile Creep.jpg

    This all seems harder than it ought to be. It might help to have options to lock the zoom scale and/or scroll position and/or size of a tile (or a tab). Maybe a little padlock icon/button at the intersection of its scrollbars. That would make the panel work a bit more like an iframe (which can specify scale and offset).


  • Moderator

    @GJS said in iframes in Local Page Broken in Vivaldi 3.3:

    Plead my case with the Chromium developers?

    Yes. Please report at https://bugs.chromium.org/p/chromium/issues/list
    After you got the report link, please report the issue to Vivaldi and add lin to Chromium bug. Do not forget a reproducible test case.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.