Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:
- The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
- With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.
Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.
With this new functionality enabled in Chrome the avatars from Confluence users in the activity stream are broken.
- (prior to the Chrome version 80 rollout) In Chrome version 77+ go to "chrome://flags/"
- Search for "SameSite" and enable "SameSite by default cookies" and "Cookies without SameSite must be secure"
- Navigate to the Jira System Dashboard (with an application link to Confluence already in place)
- View the "Activity Stream" to see amongst other things, updates from Confluence
You will see a list of activity from Confluence with the user's avatar next to it
Cookies from Jira doesn't have any SameSite policy attached, because of that Chrome forces "SameSite=LAX". That breaks content inclusion since avatars loading requires a valid Jira session to be provided.
- On Chrome, navigate to chrome://flags/
- Search for SameSite.
- Make sure the following options are Enabled:
- SameSite by default cookies
- Cookies without SameSite must be secure