Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:
- The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
- With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.
Warning from the console:
Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.
With this new functionality enabled in Chrome, functionalities such as (not limited to)
- Confluence's avatars in the activity stream (see JRASERVER-70419)
- Issue collectors embedded in external websites will stop working - Fixed
As a Jira Administrator, I would like to be able to configure `SameSite` policy for Jira (None, Lax, Strict). With a reasonable secure default.
- Currently there is no known workaround for this behavior within Jira.
- Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
- Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor. Check Tomcat and Jetty SameSite Workarounds for more details
- Add cookie headers at the proxy level:
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
- Likewise for F5, an iRule can be utilized: