-
Notifications
You must be signed in to change notification settings - Fork 27.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DraftMode __prerender_bypass cookie SameSite LAX instead of None #49927
Comments
I have the same problem with Storyblok CMS
|
Maybe it helps, but I found a strange behaviour: In an app-Dir API endpoint I activated draftMode().enable() and tried to write an additional cookie with data for preview (as I did before with __next_preview_data). It costs me 8+ hours to find out that draftMode.enable() was responsible for changing my additional cookie!
console.log was as expected, but the browser never showed the Secure flag, so the cookie was not taken. As I don't need (I hope) draftMode right now, I removed it and just use my custom preview cookie. If I have time I search the source code for the reason, not sure if it's a bug. |
I don't know if it's related but for me I'm having issues when trying to enable draft mode when using a redirect. This code where it returns new Response like in NextJS docs works and the cookie is set correctly. However when I do a redirect instead of returning new Response then the page redirects correctly but there is no cookie set. // route handler with secret and slug
import { draftMode } from "next/headers";
import { redirect } from "next/navigation";
export async function GET(request: Request) {
// // Parse query string parameters
const { searchParams } = new URL(request.url);
const secret = searchParams.get("secret");
const slug = searchParams.get("slug");
console.log({
secret,
slug,
});
// // Check the secret and next parameters
// // This secret should only be known to this route handler and the CMS
if (secret !== "mysecret" || !slug) {
return new Response("Invalid token", { status: 401 });
}
// Enable Draft Mode by setting the cookie
draftMode().enable();
// // Redirect to the path from the fetched post
// // We don't redirect to searchParams.slug as that might lead to open redirect vulnerabilities
// redirect(slug);
return new Response("Draft mode is enabled");
} |
I have the same experience @edustef, I'm using next js 13.4.9 and contentful as my CMS |
I had a similar issue accessing the cookies via an iframe. I tried this and it's working for now.
|
@edustef The redirect issue seems unrelated. That was fixed in #49965. You can try it out by upgrading Next.js by running @fromthemills Thanks for created the repo! However it only shows the Next.js api route and not the corresponding iframe code. Can you share that code so we can confirm that |
@styfle I never made a reproduction with an iFrame. As setting up such an example was a bigger effort. I am working with a headless CMS which support preview mode using an iFrame and which I used to test the behaviour. I confirmed that the cookie is now set with SameSite as |
I'm using Storyblok and can't use Draft mode... UPDATE: this seems to work. Basically using draftMode() but once it's set, grabbing the value and then change it's SameSite settings. draftMode().enable();
const draft = cookies().get('__prerender_bypass')
cookies().set('__prerender_bypass', draft?.value, {
httpOnly: true,
sameSite: 'None',
secure: true,
path: '/',
}); This allows me to check isEnabled as you normally would!!! |
also an issue with contentful but this fix works: draftMode().enable();
const draft = cookies().get("__prerender_bypass");
const draftValue = draft?.value;
if (draftValue) {
cookies().set({
name: "__prerender_bypass",
value: draftValue,
httpOnly: true,
path: "/",
secure: true,
sameSite: "none",
});
} |
UpdateGot it working after some testing. As previous, thanks to you all, to set the cookie use the following in a
Then to exit the draft mode take the same cookie and set the expire data to past,
This solves the issue of updating the cookie in the CMS (my case Storyblok). |
I'd like to get a fix in place in nextjs if no one has been working on this issue on NextJS dev team side. The fix suggested above from above comment works fine, but I think it might be worth it to fix it on the framework side instead of copying a block of Cookie rewrite snippet in each application. I don't think having How about using events for cross origin domains when nextjs app is being embedded as iframes? @styfle I saw this issue is assigned to you. Do you mind to share some of your thought and is it possible for me to work on it if you haven't started looked into this issue? |
I have used the following workaround for the pages router: // ...
res.setDraftMode({ enable: true });
const cookies = res.getHeader("Set-Cookie").map((cookie) => {
if (cookie.match(/^__prerender_bypass=/)) {
return cookie.replace(/SameSite=Lax/, "SameSite=None; Secure=True");
}
return cookie;
});
res.setHeader("Set-Cookie", cookies);
// ... |
thanks for sharing! just to point out this works for Contentful as well. |
Still works in Next 15 with the new async headers: // Enable Draft Mode by setting the cookie
(await draftMode()).enable();
const co = await cookies();
const draft = co.get('__prerender_bypass');
const draftValue = draft?.value;
if (draftValue) {
co.set({
name: '__prerender_bypass',
value: draftValue,
httpOnly: true,
path: '/',
secure: true,
sameSite: 'none',
});
} |
@backflip how are you doing the redirection ? i am having the same issue the cookie being sent as "SameSite=Lax" even after doing the above or this below. Do you mind to share some of your thought on this ? res.setHeader(
'Set-Cookie',
`__prerender_bypass='testdata'; Path=/; HttpOnly; Secure; SameSite=None`,
); |
@Gedewon, I had to add const cookies = res.getHeader("Set-Cookie").map((cookie) => {
if (cookie.match(/^(__prerender_bypass|__next_preview_data)=/)) {
return cookie.replace(/SameSite=Lax/, "SameSite=None; Secure=True");
}
return cookie;
});
res.setHeader("Set-Cookie", cookies); |
Oh my god this worked ... I was struggling with this bug for hours trying to figure out why even with rewriting the same headers it wouldn't apply to the iFrame. Confirming this works with Next.js 15 (App router) + Draft Mode + Storyblok CMS. |
For anyone using Storyblok, here is my entire /api/draft?slug= route. |
Verify canary release
Provide environment information
Operating System: Platform: darwin Arch: x64 Version: Darwin Kernel Version 22.3.0: Thu Jan 5 20:53:49 PST 2023; root:xnu-8792.81.2~2/RELEASE_X86_64 Binaries: Node: 18.7.0 npm: 8.15.0 Yarn: 1.22.19 pnpm: N/A Relevant packages: next: 13.4.3-canary.1 eslint-config-next: 13.1.6 react: 18.2.0 react-dom: 18.2.0 typescript: 4.9.5
Which area(s) of Next.js are affected? (leave empty if unsure)
App directory (appDir: true)
Link to the code that reproduces this issue
https://github.com/fromthemills/nextjs-draft-bug
To Reproduce
Start the app
npm run dev
Visit
https://localhost:3000/api/draft
Check the set-cookie header in network tab.
Describe the Bug
When activating draft mode the
__prerender_bypass
cookie is set toSameSite=lax
which prevents a visuals CMS to set the cookie as part of an iFrame. The old preview mode set the cookie toSameSite=None
New cookie:
Old cookie:
Expected Behavior
SameSite=None
like the old cookieWhich browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
No response
NEXT-1472
The text was updated successfully, but these errors were encountered: