Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-92662

Implement SameSite policy support in Confluence UI

    XMLWordPrintable

Details

    • 1
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem Definition

      Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) started enforcing different requirements on cross-site cookies:

      • The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
      • With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.

      Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

      With this new functionality enabled in Chrome, functionalities such as (not limited to): 

      Suggested Solution

      As a Confluence Administrator, I would like to be able to configure `SameSite` policy for Confluence (None, Lax, Strict). With a reasonable secure default.

      Workaround

      • Currently there is no known workaround for this behavior within Confluence. 
      • Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
      • Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.  Check Tomcat and Jetty SameSite Workarounds for more details
      • Add cookie headers at the proxy level:
        • For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3): 
          http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
        • Likewise for F5, an iRule can be utilized: 
          # Set SameSite attribute for the JSESSIONID cookie to "lax"
when HTTP_RESPONSE {
    if {[HTTP::cookie exists "JSESSIONID"]}{
        HTTP::cookie attribute "JSESSIONID" remove {samesite}
        HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax"
    }
}

      Attachments

        Issue Links

          relates to

          Suggestion - JRASERVER-70471 Implement SameSite policy support

          • Gathering Interest

          Activity

            People

              Unassigned Unassigned
              d8a006ac9dc7 Iker Alonso
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: