Dev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

PunchOut and iframe limitations

Describes limitations for iframe implementation and provides background on PunchOut and iframes.

Commerce (SaaS) limitations and iframe implementation

Optimizely Commerce (SaaS) does not support setting SameSite cookies as “None; Secure”, which would allow the ability to render Commerce (SaaS) inside an iframe in some procurement platforms. Reasons for this decision include:

  • Commerce (SaaS) 4.5 and previous SDKs use .NET versions earlier than 4.7.2, which is the version needed to set this flag on SameSite cookies as “None; Secure”. therefore it is not possible to issue a fix for these versions of the platform. For more information, see Announcement: SameSite Cookie Handling and .NET Framework 4.7.2 Patch Availability on Azure App Service.
  • Commerce (SaaS) 5.0 forward has a different way of authenticating with the APIs. Commerce (SaaS) 5.0 uses SameSite cookies, so setting these cookies to None, rather than Lax or Strict, would limit the functionality of the APIs.
  • All of Optimizely's PunchOut partners have solutions in place to solve for this issue by rendering PunchOut in a separate window and sending this information back to the originating session. All PunchOut partners confirmed that their fixes, which should already be implemented on existing sites, are valid as long-term solutions. Optimizely recommends reaching out to your PunchOut partner with any questions.

Background on PunchOut and iframes

Google released Chrome 80 in February 2020, which changed how the browser handles cookies that are not secure with the SameSite=None attribute. This change may impact Commerce (SaaS) customers who integrate with PunchOut.

  • On Commerce (SaaS) websites rendered in iframes through procurement platforms like Ariba or Jaggaer, Chrome 80 will not save the users' cookies. Instead, Commerce (SaaS) renders as if users are not logged in, and they cannot successfully complete their PunchOut sessions.
  • PunchOut will work correctly if rendered as a pop-up window rather than an iframe.