Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-59298

When Chrome requires "SameSite=None; Secure" for cross-site cookies, warning messages are displayed in the Developer Tools console


      Issue Summary

      Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies. Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

      Warnings about this can be seen in the Developer Tools console when navigating to pages that have content from an app-linked Jira instance. 

      Steps to Reproduce

      1. (prior to the Chrome version 80 rollout) In Chrome version 77+ go to "chrome://flags/"
      2. Search for "SameSite" and enable "SameSite by default cookies" and "Cookies without SameSite must be secure"
      3. In a Confluence instance which has an application link to a Jira instance, navigate to a Confluence page that has integrated content from Jira (gadgets, issue filters, etc.) 

      Expected Results

      Jira content will be displayed and no warning messages about the cross-site cookies will be displayed in the Developer Tools console. 

      Actual Results

      Jira content is displayed and the below message is displayed in the Developer Tools console:

      A cookie associated with a cross-site resource at http://JIRA-HOSTNAME/ 
      was set without the `SameSite` attribute. A future release of Chrome will 
      only deliver cookies with cross-site requests if they are set 
      with `SameSite=None` and `Secure`. You can review cookies in 
      developer tools under Application>Storage>Cookies and see 
      more details at https://www.chromestatus.com/feature/5088147346030592 
      and https://www.chromestatus.com/feature/5633521622188032.


      • Currently there is no known workaround for this behavior within Confluence. 
      • Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
      • Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.  Check Tomcat and Jetty SameSite Workarounds for more details
      • Add cookie headers at the proxy level:
        • For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
          http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
        • Likewise for F5, an iRule can be utilized:
          # Set SameSite attribute for the JSESSIONID cookie to "lax"
          when HTTP_RESPONSE {
              if {[HTTP::cookie exists "JSESSIONID"]}{
                  HTTP::cookie attribute "JSESSIONID" remove {samesite}
                  HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax"


            Unassigned Unassigned
            asmith4@atlassian.com Andrew S
            26 Vote for this issue
            34 Start watching this issue