HomeGuidesAPI Reference
Submit Documentation FeedbackJoin Developer CommunityOptimizely GitHubOptimizely NuGetLog In

PunchOut and iframe limitations

This topic describes limitations for iframe implementation and provides background on PunchOut and iframes.

B2B Commerce limitations and iframe implementation

Optimizely B2B Commerce does not support setting SameSite cookies as “None; Secure”, which would allow the ability to render B2B Commerce inside an iframe in some procurement platforms. Reasons for this decision include:

  • B2B Commerce 4.5 and previous SDKs use .NET versions earlier than 4.7.2, which is the version needed to set this flag on SameSite cookies as “None; Secure”. therefore it is not possible to issue a fix for these versions of the platform. For more information, see Announcement: SameSite Cookie Handling and .NET Framework 4.7.2 Patch Availability on Azure App Service.
  • B2B Commerce 5.0 forward has a different way of authenticating with the APIs. B2B Commerce 5.0 uses SameSite cookies, so setting these cookies to None, rather than Lax or Strict, would limit the functionality of the APIs.
  • All of Optimizely's PunchOut partners have solutions in place to solve for this issue by rendering PunchOut in a separate window and sending this information back to the originating session. All PunchOut partners confirmed that their fixes, which should already be implemented on existing sites, are valid as long-term solutions. Optimizely recommends reaching out to your PunchOut partner with any questions.

Background on PunchOut and iframes

Google released Chrome 80 in February 2020, which changed how the browser handles cookies that are not secure with the SameSite=None attribute. This change may impact B2B Commerce customers who integrate with PunchOut.

  • On B2B Commerce websites rendered in iframes through procurement platforms like Ariba or Jaggaer, Chrome 80 will not save the users' cookies. Instead, B2B Commerce renders as if users are not logged in, and they cannot successfully complete their PunchOut sessions.
  • PunchOut will work correctly if rendered as a pop-up window rather than an iframe.