Lowes Pro Supply punchout customers are also requesting to keep punchout catalog in a frame within their procurements systems.
Opti Expert services analyzed the scenario for lowesprosupply.com website and responded as below:
"Although framing is technically possible by adding the content-security-options and X-frame-options, modern browser security policies prevent session cookies from being used in a third-party iframe when they are configured with SameSite=Lax. SameSite=Lax helps protect against Cross-Site Request Forgery (CSRF) by not sending cookies on most cross-site requests.
Because our platform currently uses this setting, the browser blocks the session cookie when the storefront is loaded inside Yardi’s iframe. As a result, the PunchOut user cannot remain authenticated even though the page loads successfully.
To allow authentication inside the iframe, we might need to change the cookie configuration in our web.config from:
SameSite=Lax → SameSite=None (with Secure)
This change would modify the security posture of the storefront and introduce several risks. Cookies would be accessible in third-party embedded contexts, which increases exposure to cross-site request and session-handling risks. Some browsers already restrict or phase out third-party cookies, even when SameSite=None is used. This could create unpredictable behavior across environments."
Our business is highly impacted with this. Do we have any resolution?
Thanks in advance.
Ana Alvarez
supported this idea
·
Lowes Pro Supply punchout customers are also requesting to keep punchout catalog in a frame within their procurements systems.
Opti Expert services analyzed the scenario for lowesprosupply.com website and responded as below:
"Although framing is technically possible by adding the content-security-options and X-frame-options, modern browser security policies prevent session cookies from being used in a third-party iframe when they are configured with SameSite=Lax. SameSite=Lax helps protect against Cross-Site Request Forgery (CSRF) by not sending cookies on most cross-site requests.
Because our platform currently uses this setting, the browser blocks the session cookie when the storefront is loaded inside Yardi’s iframe. As a result, the PunchOut user cannot remain authenticated even though the page loads successfully.
To allow authentication inside the iframe, we might need to change the cookie configuration in our web.config from:
SameSite=Lax → SameSite=None (with Secure)
This change would modify the security posture of the storefront and introduce several risks. Cookies would be accessible in third-party embedded contexts, which increases exposure to cross-site request and session-handling risks. Some browsers already restrict or phase out third-party cookies, even when SameSite=None is used. This could create unpredictable behavior across environments."
Our business is highly impacted with this. Do we have any resolution?
Thanks in advance.