-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
3
-
Problem Definition
Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) started enforcing different requirements on cross-site cookies:
- The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
- With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.
Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.
With this new functionality enabled in Chrome, functionalities such as (not limited to):
- SSO/SAML maybe affected (see SSO triggers error "Received invalid SAML response" when attempting to log into Confluence using Google Chrome)
Suggested Solution
As a Confluence Administrator, I would like to be able to configure `SameSite` policy for Confluence (None, Lax, Strict). With a reasonable secure default.
Workaround
- Currently there is no known workaround for this behavior within Confluence.
- Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
- Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor. Check Tomcat and Jetty SameSite Workarounds for more details
- Add cookie headers at the proxy level:
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
- Likewise for F5, an iRule can be utilized:
# Set SameSite attribute for the JSESSIONID cookie to "lax" when HTTP_RESPONSE { if {[HTTP::cookie exists "JSESSIONID"]}{ HTTP::cookie attribute "JSESSIONID" remove {samesite} HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax" } }
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
- relates to
-
JRASERVER-70471 Implement SameSite policy support
- Gathering Interest