Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

CORB error with Chrome 80 SameSite cookies

Updated on February 7, 2022

Ensure that a mashup displays as intended by resolving the Cross-Origin Read Blocking (CORB) error with SameSite cookies in Chrome 80.

Condition

Users that use a Pega web mashup in a Chrome session with the SameSite secure cookie attribute set to None or to Strict experience the Cross-Origin Read Blocking (CORB) error.

The error message reads as follows:

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://********/prweb/DGUM90lACED74DAWt5QdLQ%5B%5B*/!STANDARD?pyactivitypzZZZ=cf4bf40cc749310addc30ad4a5d8a8da8f527e446e4c7aed0d9ddacebc22fc865032be060df4542d53cc37376de8e4b46b3831dec248c3606364118229dc8a9df1271e976a2d6094f7d227f2025f4ff5aebd1374ba29b875bfeddf86e4ba0b3d3da2d045be018a9499549d3dc91494b27f576e4ecdf76e2b5c6f66ea5c20ea20c018c629bf31fe0bf97655abe161018af7c308b50cf948fdc10e597dc5da47e0ff28e2bd87514c41bffdbf70f2968ebb1c97b6997e1a2e7268aa63ccea0a8127*'' class='content-item content-field item-5 ' STRING_TYPE='field' RESERVE_SPACE='false'>

Cause

In February 2020, Google Chrome 80 implemented a secure cookie model, changing the default value of the SameSite cookie attribute from None to Lax. This change negatively affects all deployments that use Pega web mashups running on Pega Platform 7.2 to 8.4, which require the prescribed solution.

Solution

  • Apply a hotfix or upgrade to a Pega Platform Patch Release:

    1. Obtain and install the hotfixes for Pega Platform 7.2.x to 7.4, or upgrade to the designated Pega Platform 8.x Platform Patch Release.

      Pega Platform ReleaseHotfix or Platform Patch Release
      7.2HFix-60723
      7.2.1HFix-60801
      7.2.2HFix-60346
      7.3HFix-60724
      7.3.1HFix-60725
      7.4HFix-60726
      8.1.xPega 8.1.9
      8.2.xPega 8.2.8
      8.3.xPega 8.3.4
      8.4.xPega 8.4.3
      8.5.xPega 8.5.1
    2. Create a dynamic system setting with the following properties:

      • Owning Ruleset: Pega-Engine
      • Setting Purpose: security/csrf/samesitecookieattributevalue
      • Value: none

      For more information, see Creating a dynamic system setting.

    3. For Pega Platform 8.2 and earlier releases, restart the server for the dynamic system setting to take effect.

      For Pega Platform 8.3 and later releases, when you add or update the security/csrf/samesitecookieattributevalue dynamic system setting, you do not need to restart the server or clustered servers.
    Note: After setting the security/csrf/samesitecookieattributevalue dynamic system setting to none, use Pega web mashups only on secure (HTTPS) connections.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us