docs: explain samesite=none requirement for embedding solara in iframes

widgetti · Oct 11, 2024 · e1ec763 · e1ec763
1 parent 7d30935
commit e1ec763
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/solara/server/starlette.py b/solara/server/starlette.py
@@ -451,6 +451,18 @@ async def root(request: Request, fullpath: str = ""):
     if request.scope["scheme"] == "https" or request.headers.get("x-forwarded-proto", "http") == "https" or request.base_url.hostname == "localhost":
         samesite = "none"
         secure = True
+    elif request.base_url.hostname != "localhost":
+        warnings.warn(f"""Cookies with samesite=none require https, but according to the asgi framework, the scheme is {request.scope['scheme']!r}
+and the x-forwarded-proto header is {request.headers.get('x-forwarded-proto', 'http')!r}. We will fallback to samesite=lax.
+
+If you embed solara in an iframe, make sure you forward the x-forwarded-proto header correctly so that the session cookie can be set.
+
+See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite for more information on samesite cookies.
+
+Also check out the following Solara documentation:
+ * https://solara.dev/documentation/getting_started/deploying/self-hosted
+ * https://solara.dev/documentation/advanced/howto/embed
+""")
     response.set_cookie(
         server.COOKIE_KEY_SESSION_ID,
         value=session_id,

diff --git a/solara/website/pages/documentation/advanced/content/10-howto/40-embed.md b/solara/website/pages/documentation/advanced/content/10-howto/40-embed.md
@@ -41,7 +41,8 @@ If you do not see your app, you can open the browser developer tools in your bro
 
 ### Security considerations
 
-Solara uses a cookie to implement sessions. To support cookies settings in an iframe, we set the session cookie using `Secure`, and `SameSite=Strict`. See [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies](MDN) for more details. This means that we can only support loading via iframes via https or localhost.
+Solara uses a cookie to implement sessions. To support setting cookies in an iframe, we set the session cookie using `Secure`, and `SameSite=Strict`. See [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) for more details. This means that we can only support iframes via https or localhost. Note that proxy servers can tell
+solara-server that the connection is secure by forwarding the `X-Forwarded-Proto` header, see [our self hosted deployment documentation for more information](https://solara.dev/documentation/getting_started/deploying/self-hosted).
 
 
 ## Embed into an existing page