From 87fdf27bd667919b4d0a356f3718eebcbe87d8b9 Mon Sep 17 00:00:00 2001
From: Kevin Stubbs <kevin@pubgenius.io>
Date: Tue, 2 Jul 2024 22:21:32 +0700
Subject: [PATCH] Set PCC-GRANT cookie very permissively

---
 .changeset/young-maps-fly.md           | 5 +++++
 .github/workflows/changeset.yml        | 2 +-
 packages/core/src/core/pantheon-api.ts | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/young-maps-fly.md

diff --git a/.changeset/young-maps-fly.md b/.changeset/young-maps-fly.md
new file mode 100644
index 00000000..e0265aee
--- /dev/null
+++ b/.changeset/young-maps-fly.md
@@ -0,0 +1,5 @@
+---
+"@pantheon-systems/pcc-sdk-core": patch
+---
+
+PCC-GRANT (preview token) cookie now set with most relaxed security so that preview-pages can be shown in iframes.
diff --git a/.github/workflows/changeset.yml b/.github/workflows/changeset.yml
index ba426802..e3aaddea 100644
--- a/.github/workflows/changeset.yml
+++ b/.github/workflows/changeset.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout code repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: setup node.js
diff --git a/packages/core/src/core/pantheon-api.ts b/packages/core/src/core/pantheon-api.ts
index ed5734b6..fc7728d7 100644
--- a/packages/core/src/core/pantheon-api.ts
+++ b/packages/core/src/core/pantheon-api.ts
@@ -127,7 +127,7 @@ export const PantheonAPI = (givenOptions?: PantheonAPIOptions) => {
 
     // Set or delete the PCC-GRANT cookie.
     if (pccGrant) {
-      await setCookie(res, `PCC-GRANT=${pccGrant}; Path=/; SameSite=Lax`);
+      await setCookie(res, `PCC-GRANT=${pccGrant}; Path=/; SameSite=None;Secure;`);
     } else if (
       options?.getSiteId != null &&
       req.cookies?.["PCC-GRANT"] != null