Problem Definition

Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:

• The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
• With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.

Warning from the console:

Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

With this new functionality enabled in Chrome, functionalities such as (not limited to)

• Confluence's avatars in the activity stream (see JRASERVER-70419)
• Issue collectors embedded in external websites will stop working - Fixed JRASERVER-70494

Suggested Solution

As a Jira Administrator, I would like to be able to configure `SameSite` policy for Jira (None, Lax, Strict). With a reasonable secure default.

Workaround

• Currently there is no known workaround for this behavior within Jira. 
• Disable `SameSite` change at Chrome as described in Turning off Google Chrome SameSite Cookie Enforcement.
• Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.  Check Tomcat and Jetty SameSite Workarounds for more details
• Add cookie headers at the proxy level:
  • For example, if using HAProxy, set SameSite=None and explicitly add Secure as it's required (credit to ov3):

    http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
    

• • Likewise for F5, an iRule can be utilized:

    # Set SameSite attribute for the JSESSIONID cookie to "lax"
    when HTTP_RESPONSE {
        if {[HTTP::cookie exists "JSESSIONID"]}{
            HTTP::cookie attribute "JSESSIONID" remove {samesite}
            HTTP::cookie attribute "JSESSIONID" insert {samesite} "lax"
        }
    }