Your Surveys Router - no login bug

There seems to be a bug with Your Surveys router on chrome browsers which causes the login box to disappear. Using firefox works fine. Also, its only a problem with iframes on chrome, as opening in a new window/tab works fine.

For now, chrome users can click the link (on the router page) which will open YS router in a new window. Or just use firefox.

We’ve also noticed if your window width is too small, the login box also disappears, even if in a new window. This happens around 800px width.

Hope this helps!

I can’t replicate this and I use chrome. The email field is always there no matter how much I resize. What I do know though is that the email field will disappear if you don’t pass the “si” (sponsor id?) parameter in the url.
UPDATE:
I compared the iframe and non-iframe requests in Fiddler and I think I found the reason why it’s not showing, but I’m pretty sure it’s on your-surveys’s end, because the feature in chrome that messes this up was added in version 51, which was like 2 years ago.

The ys router link will redirect you to ys.com/routing, but also sets the “[SIZE=2]p[/SIZE]oints2shop” cookie. The omission of this cookie results in the ys server including a css snippet that hides the login box.

If you inspect the set-cookie header, you can see the “SameSite” attribute set to Lax at the very end.

The SameSite cookie feature thingy is a measure to prevent CSRF, and ys has it set to Lax, which is the most lax setting, but it’s still too strict for iframes.

There are two possible values for the same-site attribute:

  • Lax
  • Strict
In the strict mode, the cookie is withheld with any cross-site usage. Even when the user follows a link to another website the cookie is not sent.

In lax mode, some cross-site usage is allowed. Specifically if the request is a GET request and the request is top-level. Top-level means that the URL in the address bar changes because of this navigation. This is not the case for iframes, images or XMLHttpRequests.

As a result, the “[SIZE=2]p[/SIZE]oints2shop” cookie is not set in Chrome. Firefox added support for the samesite cookie in version 60, which is the current main release, so the same behavior should be expected in FF as well soon.

[SIZE=“4”]TL;DR[/SIZE]
It’s because of the “SameSite” attribute being set on the “[SIZE=2]p[/SIZE]oints2shop” cookie. Iframe requests aren’t classified as top-level, so the cookie isn’t set when ys is loaded in an iframe, and the login box therefore remains hidden.

SameSite has been implemented in Chrome for a while, so your-surveys is most likely at fault here. The solution would be for them to omit the SameSite attribute entirely from the “[SIZE=2]p[/SIZE]oints2shop” cookie.

[SIZE=“7”]TL;DR of TL;DR[/SIZE]
[SIZE=“5”]IT’S ALL YS’s FAULT!!!1![/SIZE]

YS has been notified. We’ll be sure to forward them your response if they’re confused about the issue :stuck_out_tongue:

Phew, glad i’m not the only one having this problem! Seems to be affecting Opera browser as well.

ye samesite has been shipped in opera since release 39, which was built on chromium 51 or 52 prolly

update:
sure enough, it’s broken in FF 60 like i said.