Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Low
Fix Version/s: None
Affects Version/s: 6.13.6, 8.1.0, 8.5.7
Component/s: Integrations - Jira, Other
Labels:

Support reference count:
59
Symptom Severity:
Severity 2 - Major
UIS:
14
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies. Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

Warnings about this can be seen in the Developer Tools console when navigating to pages that have content from an app-linked Jira instance.

Steps to Reproduce

(prior to the Chrome version 80 rollout) In Chrome version 77+ go to "chrome://flags/"
Search for "SameSite" and enable "SameSite by default cookies" and "Cookies without SameSite must be secure"
In a Confluence instance which has an application link to a Jira instance, navigate to a Confluence page that has integrated content from Jira (gadgets, issue filters, etc.)

Expected Results

Jira content will be displayed and no warning messages about the cross-site cookies will be displayed in the Developer Tools console.

Actual Results

Jira content is displayed and the below message is displayed in the Developer Tools console:

A cookie associated with a cross-site resource at http://JIRA-HOSTNAME/ 
was set without the `SameSite` attribute. A future release of Chrome will 
only deliver cookies with cross-site requests if they are set 
with `SameSite=None` and `Secure`. You can review cookies in 
developer tools under Application>Storage>Cookies and see 
more details at https://www.chromestatus.com/feature/5088147346030592 
and https://www.chromestatus.com/feature/5633521622188032.

Workaround

Currently there is no known workaround for this behavior within Confluence.
Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor. Check Tomcat and Jetty SameSite Workarounds for more details
Add cookie headers at the proxy level:
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
```
http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
```

Likewise for F5, an iRule can be utilized:

# Set SameSite attribute for the JSESSIONID cookie to "lax"
when HTTP_RESPONSE {
    if {[HTTP::cookie exists "JSESSIONID"]}{
        HTTP::cookie attribute "JSESSIONID" remove {samesite}
        HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax"
    }
}

relates to

JRASERVER-70419 When Chrome enforces SameSite=LAX setting, Avatars from Confluence in the Activity Stream are broken

Gathering Impact

JRASERVER-70471 Implement SameSite policy support

Gathering Interest

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(2 mentioned in)

Assignee:: Unassigned

Reporter:: Andrew S

Votes:: 28 Vote for this issue

Watchers:: 36 Start watching this issue

Created:: 20/Dec/2019 12:48 AM

Updated:: Yesterday 4:22 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates