Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70471

Implement SameSite policy support

    XMLWordPrintable

Details

    • 62
    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem Definition

      Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:

      • The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
      • With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.

      Warning from the console:

      Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

      With this new functionality enabled in Chrome, functionalities such as (not limited to)

      • Confluence's avatars in the activity stream (see JRASERVER-70419)
      • Issue collectors embedded in external websites will stop working - Fixed JRASERVER-70494

      Suggested Solution

      As a Jira Administrator, I would like to be able to configure `SameSite` policy for Jira (None, Lax, Strict). With a reasonable secure default.

      Workaround

      • Currently there is no known workaround for this behavior within Jira. 
      • Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
      • Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.  Check Tomcat and Jetty SameSite Workarounds for more details
      • Add cookie headers at the proxy level:
        • For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3): 
          http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
        • Likewise for F5, an iRule can be utilized: 
          # Set SameSite attribute for the JSESSIONID cookie to "lax"
when HTTP_RESPONSE {
    if {[HTTP::cookie exists "JSESSIONID"]}{
        HTTP::cookie attribute "JSESSIONID" remove {samesite}
        HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax"
    }
}

      Attachments

        Issue Links

          depended on by

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-70494 Issue Collectors won't work for clients using Chrome 80 which enables new samesite cookie controls

          • High - High priority issues
          • Closed
          is cloned from

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-70419 When Chrome enforces SameSite=LAX setting, Avatars from Confluence in the Activity Stream are broken

          • Low - Low priority issues
          • Gathering Impact
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JSDCLOUD-9544 Session cookie auth does not work cross-site in Chrome for portal-only customers

          • Low - Low priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-59298 When Chrome requires "SameSite=None; Secure" for cross-site cookies, warning messages are displayed in the Developer Tools console

          • Low - Low priority issues
          • Gathering Impact

          Suggestion - CONFSERVER-92662 Implement SameSite policy support in Confluence UI

          • Gathering Interest
          relates to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-73212 Submitting an issue collector on a non-same origin site results in HTTP 404

          • Highest - Our top priority issues
          • Closed

          Suggestion - JRASERVER-71186 Revert functionality to match user session to Reporter field when providing feedback through Issue Collector

          • Gathering Interest

          PS-59482 Loading...

          JOT-373 Loading...

          PSR-424 Loading...

          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              rbaldasso Rodrigo Baldasso
              Votes:
              118 Vote for this issue
              Watchers:
              108 Start watching this issue

              Dates

                Created:
                Updated: