How to Configure Cadenza for Embedding

When Cadenza Web is embedded in another application using iframes or the other way around we have a few major deployment patterns:

Both systems are on the same origin (e.g. https://example.com/cadenza and https://example.com/myapp ) by using a reverse proxy in front of both services
Both systems are on different origins.

Scenario 1 - Same Origin

No CSP and no Cookie configuration necessary.

Scenario 2 - Different Origins

If Cadenza and the embedding application have different origins then you need to configure Cadenza (and the other application) so that browsers will allow embedding one in the other.

The reason that this becomes more complicated is that we are in effect a third party application inside another one and our cookies are treated as third-party cookies. This is a typical advertising scenario where some invisible iframe contains a tracking application that will attempt to fingerprint you so advertisers can track you across different sites.

In order to convince browser to not treat us like such an application we need to perform some gymnastics:

You MUST make sure that Cadenza allows being embedded in the other application, this is configured through the csp configuration in config-files:basicweb.adoc. Here you can whitelist the origins that are allowed to embed Cadenza.
```
<csp>
  <frame-ancestors enabled="true">
    <source>https://example.com</source>
  </frame-ancestors>
</csp>
```
You MUST use TLS for both the application and Cadenza
You MUST set the Secure flag on Cadenza’s session cookie. You can do this with a system property:
```
-Dnet.disy.cadenza.web.session.cookies.secure=true
```
See Environment Variables, System Properties and Other Runtime Configuration Options.
You MUST set the Samesite on Cadenza’s session cookie to none. This can be done using a system property:
```
-Dnet.disy.cadenza.web.cookies.samesite=none
```
See Environment Variables, System Properties and Other Runtime Configuration Options.