fix: set samesite to none for user agent cookie for iframe usage (#6162)

Co-authored-by: Fabi <fabienne@zitadel.com>

internal/api/http/cookie.go

@@ -111,7 +111,7 @@ func (c *CookieHandler) SetCookie(w http.ResponseWriter, name, domain, value str
 	c.httpSet(w, name, domain, value, c.maxAge)
 }
 
-func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}) error {
+func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}, sameSiteNone bool) error {
 	if c.securecookie == nil {
 		return errors.ThrowInternal(nil, "HTTP-s2HUtx", "securecookie not configured")
 	}
@@ -119,7 +119,11 @@ func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain s
 	if err != nil {
 		return err
 	}
-	c.httpSet(w, name, domain, encoded, c.maxAge)
+	sameSite := c.sameSite
+	if sameSiteNone {
+		sameSite = http.SameSiteNoneMode
+	}
+	c.httpSetWithSameSite(w, name, domain, encoded, c.maxAge, sameSite)
 	return nil
 }
 
@@ -128,6 +132,10 @@ func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) {
 }
 
 func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value string, maxage int) {
+	c.httpSetWithSameSite(w, name, domain, value, maxage, c.sameSite)
+}
+
+func (c *CookieHandler) httpSetWithSameSite(w http.ResponseWriter, name, domain, value string, maxage int, sameSite http.SameSite) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     SetCookiePrefix(name, domain, c.path, c.secureOnly),
 		Value:    value,
@@ -136,7 +144,7 @@ func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value strin
 		MaxAge:   maxage,
 		HttpOnly: c.httpOnly,
 		Secure:   c.secureOnly,
-		SameSite: c.sameSite,
+		SameSite: sameSite,
 	})
 	varyValues := w.Header().Values("vary")
 	for _, vary := range varyValues {

internal/api/http/middleware/user_agent_cookie.go

@@ -6,6 +6,9 @@ import (
 	"strings"
 	"time"
 
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/id"
@@ -71,8 +74,11 @@ func (ua *userAgentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	if err == nil {
 		ctx := context.WithValue(r.Context(), userAgentKey, agent.ID)
+		instance := authz.GetInstance(r.Context())
+		allowedHosts := instance.SecurityPolicyAllowedOrigins()
 		r = r.WithContext(ctx)
-		ua.setUserAgent(w, r.Host, agent)
+		err = ua.setUserAgent(w, r.Host, agent, len(allowedHosts) > 0)
+		logging.WithFields("instanceID", instance.InstanceID()).OnError(err).Error("unable to set user agent cookie")
 	}
 	ua.nextHandler.ServeHTTP(w, r)
 }
@@ -94,8 +100,8 @@ func (ua *userAgentHandler) getUserAgent(r *http.Request) (*UserAgent, error) {
 	return userAgent, nil
 }
 
-func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, host string, agent *UserAgent) error {
+func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, host string, agent *UserAgent, iframe bool) error {
-	err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, host, agent)
+	err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, host, agent, iframe)
 	if err != nil {
 		return errors.ThrowPermissionDenied(err, "HTTP-AqgqdA", "cannot set user agent cookie")
 	}