-
Suggestion
-
Resolution: Unresolved
-
None
-
54
-
1
-
Problem Definition
Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:
- The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
- With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.
Warning from the console:
Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.
With this new functionality enabled in Chrome, functionalities such as (not limited to)
- Confluence's avatars in the activity stream (see JRASERVER-70419)
- Issue collectors embedded in external websites will stop working - Fixed
JRASERVER-70494
Suggested Solution
As a Jira Administrator, I would like to be able to configure `SameSite` policy for Jira (None, Lax, Strict). With a reasonable secure default.
Workaround
- Currently there is no known workaround for this behavior within Jira.
- Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
- Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor. Check Tomcat and Jetty SameSite Workarounds for more details
- Add cookie headers at the proxy level:
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
- For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):
-
- Likewise for F5, an iRule can be utilized:
# Set SameSite attribute for the JSESSIONID cookie to "lax" when HTTP_RESPONSE { if {[HTTP::cookie exists "JSESSIONID"]}{ HTTP::cookie attribute "JSESSIONID" remove {samesite} HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax" } }
- Likewise for F5, an iRule can be utilized:
- depended on by
-
JRASERVER-70494 Issue Collectors won't work for clients using Chrome 80 which enables new samesite cookie controls
- Closed
- is cloned from
-
JRASERVER-70419 When Chrome enforces SameSite=LAX setting, Avatars from Confluence in the Activity Stream are broken
- Gathering Impact
- is related to
-
JSDCLOUD-9544 Session cookie auth does not work cross-site in Chrome for portal-only customers
- Closed
-
CONFSERVER-59298 When Chrome requires "SameSite=None; Secure" for cross-site cookies, warning messages are displayed in the Developer Tools console
- Gathering Impact
-
CONFSERVER-92662 Implement SameSite policy support in Confluence UI
- Gathering Interest
- relates to
-
JRASERVER-73212 Submitting an issue collector on a non-same origin site results in HTTP 404
- Closed
-
JRASERVER-71186 Revert functionality to match user session to Reporter field when providing feedback through Issue Collector
- Gathering Interest
-
PS-59482 Loading...
-
JOT-373 Loading...
-
PSR-424 Loading...
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...