fix: set samesite to none for user agent cookie for iframe usage (#6162)

Co-authored-by: Fabi <fabienne@zitadel.com>

internal/api/http/middleware/user_agent_cookie.go

@@ -6,6 +6,9 @@ import (
 	"strings"
 	"time"
 
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/id"
@@ -71,8 +74,11 @@ func (ua *userAgentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	if err == nil {
 		ctx := context.WithValue(r.Context(), userAgentKey, agent.ID)
+		instance := authz.GetInstance(r.Context())
+		allowedHosts := instance.SecurityPolicyAllowedOrigins()
 		r = r.WithContext(ctx)
-		ua.setUserAgent(w, r.Host, agent)
+		err = ua.setUserAgent(w, r.Host, agent, len(allowedHosts) > 0)
+		logging.WithFields("instanceID", instance.InstanceID()).OnError(err).Error("unable to set user agent cookie")
 	}
 	ua.nextHandler.ServeHTTP(w, r)
 }
@@ -94,8 +100,8 @@ func (ua *userAgentHandler) getUserAgent(r *http.Request) (*UserAgent, error) {
 	return userAgent, nil
 }
 
-func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, host string, agent *UserAgent) error {
-	err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, host, agent)
+func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, host string, agent *UserAgent, iframe bool) error {
+	err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, host, agent, iframe)
 	if err != nil {
 		return errors.ThrowPermissionDenied(err, "HTTP-AqgqdA", "cannot set user agent cookie")
 	}