Call Toll Free: 888-623-2374

Request InformationSupport

Chrome 80, PunchOut2Go has you covered!

As we are always keeping our customers at the forefront of technology, driving success & most importantly, continuity through integrations, we have developed solutions to mitigate the Chrome 80 cookie punchout catalog related issues.

Chrome 80 Cookie Update

Chrome 80 Cookie Update Affects Punchout Catalogs

Chrome 80 will start rolling out on February 4, 2020. As of Chrome 80 (also used with new “Edge” browser), Chrome changed the default behavior on the “SameSite” cookie policy from “None” to “Lax”. So when the cookie is absent, it will now be treated as “Lax” instead of “None”. This affects how cookies are handled when being set by framed content.

We have created an auto-detection behavior to mitigate this behavior that does not require StoreFront changes. It does note the change in shopping experience behavior.

General Announcement: Chrome 80 is Changing how it treats Cookies, affecting PunchOut Catalogs

In Chrome’s upcoming release 80 (including Chromium-based Edge), scheduled for February 2020, they are changing policies for handling cookies. This change includes improvements in default configurations that enable increased security and privacy controls. These updated default configuration settings will affect how cookies are allowed to be used, specifically affecting multi-site integrations leveraging iframe behaviors.

If these settings remain in their default state applied through the update, your PunchOut service will potentially be impacted.

For additional information, refer to this Chromium blog post. https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

Refer to Google Chrome 80 release timeline here. https://www.chromium.org/updates/same-site

What is happening?

Chrome is changing the default behavior on how they handle cookies. Specifically, the use of the “SameSite” property, when cookies are set, will have a new setting applied by default.

The current default setting is to treat the cookie SameSite=None, the new default will be SameSite=Lax.

The change in Cookie behavior makes the browser refuse cookies from 3rd parties (ie.. internal frames).

How does this change affect our PunchOut Catalogs?

Procurement Systems such as Ariba, Jaggaer, Birchstreet and SAP utilize iframes while accessing your PunchOut storefront. Cookies set by framed content are seen as 3rd party cookies and will not be accepted with this new default.

Systems such as Coupa are not affected.

Does this affect non-framed sites or “pop-outs”?

1st party cookies over HTTPS are not affected. This includes sites that utilize a “Pop-Out” shopping window or target=_top which overtakes the original frame.

What needs to be done?

The “Set-Cookie” header that all browsers use to receive cookies need to explicitly set the “SameSite=None; Secure” policies in their cookies. This is applied by the storefront, and is an HTTP Response Header.

Set-Cookie: SID=abcde1234567; path=/; SameSite=None; secure

Are there concerns about adding this policy?

While many browsers will ignore this new policy, others will interpret it incorrectly. The following browsers do not handle the policy correctly:

  • Chrome 51 to Chrome 66 (inclusive on both ends)
  • Safari and embedded browsers on MacOS 10.14
  • All browsers on iOS 12

The PunchOut2Go PunchOut Catalog Solution: Browser Detected PunchOut Launch Screen

PunchOut2Go can configure a browser-specific launch screen.

The launch screen detects the frame usage and browser to determine if the user session is going to have a problem with the session. If the browser is detected as framed and using Chrome >=80, it will launch the shopping window to a separate screen. If not issue is detected, the session will continue without changing from the existing experience.

While shopping, the frame is retained in the background.

When shopping is finished, the shopping window is closed and the item data is returned from within the original frame.

By launching in to a separate frame, the shopping session function as a first-party cookie and the Chrome 80 change is not does not impact the cookie retention.

The screenshots below illustrate the shopping being separate from the frame. Note, that the separate window does initially open at full screen and not offset as show in the screenshots.

If you are already a PunchOut2Go customer or partner, we have already communicated to your teams and you are good to go. If you are not a customer of PunchOut2Go, There's no time like the present. Contact us to position your company with continuity. 

We're glad you are here. Let us help you integrate!

Request more information about PunchOut2Go and our Solutions.