Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70419

When Chrome enforces SameSite=LAX setting, Avatars from Confluence in the Activity Stream are broken

XMLWordPrintable

      Issue Summary

      Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:

      • The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
      • With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.

      Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

      With this new functionality enabled in Chrome the avatars from Confluence users in the activity stream are broken.

      Steps to Reproduce

      1. (prior to the Chrome version 80 rollout) In Chrome version 77+ go to "chrome://flags/"
      2. Search for "SameSite" and enable "SameSite by default cookies" and "Cookies without SameSite must be secure"
      3. Navigate to the Jira System Dashboard (with an application link to Confluence already in place)
      4. View the "Activity Stream" to see amongst other things, updates from Confluence

      Expected Results

      You will see a list of activity from Confluence with the user's avatar next to it

      Actual Results

      Activity is displayed but avatar is broken

      Note

      Cookies from Jira doesn't have any SameSite policy attached, because of that Chrome forces "SameSite=LAX". That breaks content inclusion since avatars loading requires a valid Jira session to be provided.

      Jira (JAC):

      Blogger:

      Workaround

      1. On Chrome, navigate to chrome://flags/
      2. Search for SameSite.
      3. Make sure the following options are Enabled:
        • SameSite by default cookies
        • Cookies without SameSite must be secure

        1. JAC_cookies.png
          JAC_cookies.png
          42 kB
        2. image-2019-12-19-18-35-46-402.png
          image-2019-12-19-18-35-46-402.png
          52 kB
        3. image-2019-12-19-18-18-30-520.png
          image-2019-12-19-18-18-30-520.png
          47 kB
        4. blogger_cookies.png
          blogger_cookies.png
          88 kB

              Unassigned Unassigned
              asmith4@atlassian.com Andrew S
              Votes:
              18 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated: