·
1 min read

Power Apps portals: SameSite mode and its use when hosting your portal in an iframe

Starting with portals version 9.3.6.x, portal makers have settings available to specify SameSite, which is an attribute of the Set-Cookie HTTP response header and allows makers to declare if their cookies should be restricted to a first-party or same-site context.

SameSite mode changes were announced on our Important changes are coming in Power Apps portals topic earlier.

Site Setting Name Scope Possible value
HTTP/SameSite/Default Global, for all cookies. None
Lax
Strict
HTTP/SameSite/{CookieName} Specific cookie. None
Lax
Strict

We have also published a step-by-step  article about how-to iframe your portal in another website and it exemplifies the SameSite mode settings that are needed for it. You can read the article here.
Important: As noted in the announcement, starting October 2021 all newly provisioned portals will have Strict as the Default value instead of None. This impacts functionality in scenarios like when you iframe  your portal in other website.
We recommended that you review this setting for your portal in case they have a functionality that requires SameSite to be set to any other value than Strict and use the site settings to adjust the value accordingly.