I have several wordpress sites that run on a rhel7 box that I admin. All of the sites use a custom SSO plugin that I wrote.

Today I was told that other sites were having issues accessing one of our sites. So site x has our site (y) iframed on one of its pages and gets stuck in a loop and gets the following browser error below.

I did set php (7.3) session variable for samesite to Secure and I can get to random webpages on the server but no pages that require a WP login (which again is passed through our SSO). So how do I check the specific samesite settings on WP site, how do I change them, and is there a best practice for this setting?

Also it would be great is some could explain to me why chrome is stopping an iframe from loading. Site y is in no way trying to pass info on to x. We are just trying to play a video from the site. This seems completely insane that this would be stopped by a browser. We did check and it plays in IE and users can also go directly to the link and play it. I am the admin for the sites and server (not cloud hosted) so I can make any changes needed.

A cookie associated with a cross-site resource at / was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .