Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-70471

Implement SameSite policy support

    XMLWordPrintable

    Details

    • UIS:
      22
    • Support reference count:
      1
    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Problem Definition

      Starting in February 2020, Chrome version 80 (and later Firefox and IE as well) will start enforcing different requirements on cross-site cookies:

      • The new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, `SameSite=None`, to designate cookies for cross-site access.
      • With Chrome 80 will treat cookies that have no declared SameSite value as `SameSite=Lax` cookies.

      Reference https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for full details on the change in Chrome's behavior.

      With this new functionality enabled in Chrome, functionalities such as (not limited to)

      • Confluence's avatars in the activity stream (see JRASERVER-70419)
      • Issue collectors embedded in external websites will stop working - Fixed JRASERVER-70494

      Suggested Solution

      As a Jira Administrator, I would like to be able to configure `SameSite` policy for Jira (None, Lax, Strict). With a reasonable secure default.

      Workaround

      • None at Jira side.
      • Disable `SameSite` change at Chrome.
      • Add cookie headers (SameSite=None) at Tomcat level, Tomcat 8.5.42 introduced a global same-site cookie setting in the default Rfc6265CookieProcessor.
      • Add cookie headers (SameSite=None) at proxy level, note adding explicit Secure, since it required.
        • Example for HAProxy (credit to Olivier Voortman) :
          http-response replace-header Set-Cookie ^(.*) \1;\ SameSite=None;\ Secure
          

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              rbaldasso Rodrigo Baldasso
              Votes:
              73 Vote for this issue
              Watchers:
              66 Start watching this issue

                Dates

                Created:
                Updated: