Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:
- The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
- With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.
Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.
With this new functionality enabled in Chrome, functionalities such as (not limited to)
- Confluence's avatars in the activity stream (see JRASERVER-70419)
- Issue collectors embedded in external websites will stop working - Fixed
As a Jira Administrator, I would like to be able to configure `SameSite` policy for Jira (None, Lax, Strict). With a reasonable secure default.
- None at Jira side.
- Disable `SameSite` change at Chrome.
- Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.
- Check page for more details - https://wiki.shibboleth.net/confluence/display/DEV/Tomcat+and+Jetty+SameSite+Workarounds
- Add cookie headers (SameSite=None) at proxy level, note adding explicit Secure, since it required.
- Example for HAProxy (credit to Olivier Voortman) :