Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70494

Issue Collectors won't work for clients using Chrome 80 which enables new samesite cookie controls

XMLWordPrintable

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Issue Summary

      Chrome version 80 is set to ship in February 2020. With this release there are some new cookie security features coming that will force Chrome clients to enforce a SameSite check policy. Right now, this policy would break all the functionality of issue collectors that appear on separate domains.
      If the issue collector could set the SameSite=None in the cookie it appears that it could at least allow the issue collectors to work on different sites.

      Steps to Reproduce

      1. Inside a Chrome browser, go to address of chrome://flags and find entry called 'SameSite by default cookies' change this from default to Enabled (this feature is expected to ship in official Chrome 80 version on by default, hence this is something we should look to support, even if this specific version is not yet officially supported).
      2. Then in my Jira Cloud site, I created a new issue collector
      3. Copy the javascript of the issue collector and enter it into a site on a different domain

      Expected Results

      Issue collector works as expected.

      Actual Results

      Issue collector does not work. When the user click the expand button, they are presented with an error asking them to enable 3rd party cookies

      We noticed that you have third-party cookies disabled in your browser. We need this enabled to correctly submit your feedback. Once youve enabled cookies, please refresh the page. 
      

      The browser console log has an info message of

      A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
      Dashboard.jspa:1 A cookie associated with a cross-site resource at http://atlassian.net/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. 
      

      Notes:

      This feature can be enabled on most modern versions of Chrome such as 79.0.3945.117 (my current version) and also within Canary versions such as Version 81.0.4029.0 (Official Build) canary (64-bit).
      The expectation though is that Chrome will implement this feature as on by default when a stable version of v80 is released. https://blog.chromium.org/2019/10/developers-get-ready-for-new.html explains this further.

      Mozilla has affirmed their support of the new cookie classification model with their intent to implement the SameSite=None; Secure requirements for cross-site cookies in Firefox. Microsoft recently announced plans to begin implementing the model starting as an experiment in Microsoft Edge 80.

      Note on Fix

      XSRF token check was disabled for this API:

      You don’t have to enable 3rd party cookies to make the issue collector work. We’ve removed this requirement, also dropping some error messages that reminded about it.

      from https://confluence.atlassian.com/jirasoftware/jira-software-8-7-x-upgrade-notes-987138245.html
      and https://confluence.atlassian.com/jirasoftware/jira-software-8-5-x-upgrade-notes-976781036.html

      Workaround

      1. In Chrome you could go to chrome://flags
      2. Find the entry for 'SameSite by default cookies'
      3. Set this to Disabled
      4. Relaunch Chrome

              mrzymski Maciej Rzymski
              aheinzer Andy Heinzer
              Votes:
              2 Vote for this issue
              Watchers:
              34 Start watching this issue

                Created:
                Updated:
                Resolved: