Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for "SameSite" origin changes coming to Chrome 80 #449

Closed
criterion9 opened this issue Feb 1, 2020 · 7 comments
Closed

Support for "SameSite" origin changes coming to Chrome 80 #449

criterion9 opened this issue Feb 1, 2020 · 7 comments

Comments

@criterion9
Copy link
Contributor

@criterion9 criterion9 commented Feb 1, 2020

The cookies dropped by OWA need to set the SameSite attribute to None as well as setting the Secure flag in order to be supported by the imminent version of Chrome that will be released to the greater stable channel. Currently those attributes are not being set on the cookie which will start to fail for those who upgrade to the most current stable Chrome version within a few days.

@criterion9

This comment has been minimized.

Copy link
Contributor Author

@criterion9 criterion9 commented Feb 1, 2020

Some more details... The behavior of open third-party cookies is changing by default in Chrome first but other browsers are following the same path. It may be worth a revisit to how the cookie data is shared with the tracking javascript that is embeded into the pages that will be tracked. Perhaps such as by dropping a cookie in the current domain context and resolving cross domain attributes by connecting the data server-side instead.

To support the "current" releases of browsers where the cookies are expected to be used in a third party context the advice is to use sameSite:none;secure when setting those cookies. This will not work for some older browsers that incorrectly block the cookie from being sent with the request. This adds some complexity that would be required to adjust whether or not to use the updated sameSite:none;secure attributes or not based on the browser client.

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://www.chromium.org/updates/same-site/incompatible-clients
https://github.com/GoogleChromeLabs/samesite-examples/blob/master/javascript.md

@criterion9 criterion9 changed the title Support for "SameSite" origin changes coming to Chrome 40 Support for "SameSite" origin changes coming to Chrome 80 Feb 1, 2020
@padams

This comment has been minimized.

Copy link
Collaborator

@padams padams commented Feb 1, 2020

I don't think so... OWA uses first party cookies.

"With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies."

Am I missing something?

@criterion9

This comment has been minimized.

Copy link
Contributor Author

@criterion9 criterion9 commented Feb 1, 2020

When I use a seperate domain for hosting OWA and embed the javascript tracker I get warnings in developer tools about the cross-origin cookie usage:

Note: This example is from a local environment
image

@padams

This comment has been minimized.

Copy link
Collaborator

@padams padams commented Feb 1, 2020

@criterion9

This comment has been minimized.

Copy link
Contributor Author

@criterion9 criterion9 commented Feb 1, 2020

Gotcha! I have not dove into the cookies in OWA as of yet so I wasn't sure. The warnings I'm seeing are really from the admin cookies not having a SameSite attribute set currently as opposed to something that will break with the browser change.
We can close this issue unless you would want a PR created to add a samesite attribute to those cookies to remove the warning messages. I'm assuming others may start looking at those warnings while they are testing other integrations (like I was) for possible breakages when the change is put in place.

@padams

This comment has been minimized.

Copy link
Collaborator

@padams padams commented Feb 1, 2020

@Maaiins

This comment has been minimized.

Copy link
Collaborator

@Maaiins Maaiins commented Apr 5, 2020

See #505 fixed in master. Feel free to reopen if there is still any problem

@Maaiins Maaiins closed this Apr 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.