How to Configure Cadenza for Embedding

When Cadenza Web is embedded in another application using iframes or the other way around we have a few major deployment patterns:

Both systems are on the same origin (e.g. https://example.com/cadenza and https://example.com/myapp ) by using a reverse proxy in front of both services
Both systems are on different origins.

Scenario 1 - Same Origin

No CSP and no Cookie configuration necessary.

Scenario 2 - Different Origins

If Cadenza and the embedding application have different origins then you need to configure Cadenza (and the other application) so that browsers will allow embedding one in the other.

The situation arises because Cadenza functions as a third-party application within another platform or application, causing Cadenzas cookies to be classified as third-party cookies. This setup is common in advertising, where invisible iframes on web sites can host tracking applications designed to fingerprint users and enabling advertisers to monitor user activity across various websites.

In order to convince browsers to not treat us like such an application we need to set some configuration options:

You MUST make sure that Cadenza allows being embedded in the other application, this is configured through the csp configuration in basicweb. Here you can whitelist the origins that are allowed to embed Cadenza.
```
<csp>
  <frame-ancestors enabled="true">
    <source>https://example.com</source>
  </frame-ancestors>
</csp>
```
You MUST use TLS for both the application and Cadenza
You MUST set the Secure flag on Cadenza’s session cookie. You can do this with a system property:
```
-Dnet.disy.cadenza.web.session.cookies.secure=true
```
See Security Settings, Cookie Options.
You MUST set the Samesite on Cadenza’s session cookie to none. This can be done using a system property:
```
-Dnet.disy.cadenza.web.cookies.samesite=none
```
See Security Settings, Cookie Options.