When Chrome requires "SameSite=None; Secure" for cross-site cookies, warning messages are displayed in the Developer Tools console

Issue Summary

Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies. Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

Warnings about this can be seen in the Developer Tools console when navigating to pages that have content from an app-linked Jira instance. 

Steps to Reproduce

1. (prior to the Chrome version 80 rollout) In Chrome version 77+ go to "chrome://flags/"
2. Search for "SameSite" and enable "SameSite by default cookies" and "Cookies without SameSite must be secure"
3. In a Confluence instance which has an application link to a Jira instance, navigate to a Confluence page that has integrated content from Jira (gadgets, issue filters, etc.) 

Expected Results

Jira content will be displayed and no warning messages about the cross-site cookies will be displayed in the Developer Tools console. 

Actual Results

Jira content is displayed and the below message is displayed in the Developer Tools console:

A cookie associated with a cross-site resource at http://JIRA-HOSTNAME/ 
was set without the `SameSite` attribute. A future release of Chrome will 
only deliver cookies with cross-site requests if they are set 
with `SameSite=None` and `Secure`. You can review cookies in 
developer tools under Application>Storage>Cookies and see 
more details at https://www.chromestatus.com/feature/5088147346030592 
and https://www.chromestatus.com/feature/5633521622188032.

Workaround

• Currently there is no known workaround for this behavior within Confluence. 
• Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
• Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.  Check Tomcat and Jetty SameSite Workarounds for more details
• Add cookie headers at the proxy level:
  • For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):

    http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
    

• • Likewise for F5, an iRule can be utilized:

    # Set SameSite attribute for the JSESSIONID cookie to "lax"
    when HTTP_RESPONSE {
        if {[HTTP::cookie exists "JSESSIONID"]}{
            HTTP::cookie attribute "JSESSIONID" remove {samesite}
            HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax"
        }
    }