-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.13.6, 8.1.0, 8.5.7
-
59
-
Severity 2 - Major
-
14
-
Issue Summary
Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies. Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.
Warnings about this can be seen in the Developer Tools console when navigating to pages that have content from an app-linked Jira instance.
Steps to Reproduce
- (prior to the Chrome version 80 rollout) In Chrome version 77+ go to "chrome://flags/"
- Search for "SameSite" and enable "SameSite by default cookies" and "Cookies without SameSite must be secure"
- In a Confluence instance which has an application link to a Jira instance, navigate to a Confluence page that has integrated content from Jira (gadgets, issue filters, etc.)
Expected Results
Jira content will be displayed and no warning messages about the cross-site cookies will be displayed in the Developer Tools console.
Actual Results
Jira content is displayed and the below message is displayed in the Developer Tools console:
A cookie associated with a cross-site resource at http://JIRA-HOSTNAME/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Workaround
- Currently there is no known workaround for this behavior within Confluence.
- Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
- Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor. Check Tomcat and Jetty SameSite Workarounds for more details
- Add cookie headers at the proxy level:
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
-
- Likewise for F5, an iRule can be utilized:
# Set SameSite attribute for the JSESSIONID cookie to "lax" when HTTP_RESPONSE { if {[HTTP::cookie exists "JSESSIONID"]}{ HTTP::cookie attribute "JSESSIONID" remove {samesite} HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax" } }
- Likewise for F5, an iRule can be utilized:
- relates to
-
JRASERVER-70419 When Chrome enforces SameSite=LAX setting, Avatars from Confluence in the Activity Stream are broken
- Gathering Impact
-
JRASERVER-70471 Implement SameSite policy support
- Gathering Interest