ICEfaces
  1. ICEfaces
  2. ICE-11486

Chrome 80 restricts cross domain cookies without SameSite=None

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: EE-1.8.2.GA_P10, EE-3.3.0.GA_P07, EE-4.3.0.GA_P01
    • Component/s: Bridge
    • Labels:
      None
    • Environment:
      All ICEpush envs.
    • Assignee Priority:
      P1
    • Support Case References:
      SF#14574

      Description

      Case Subject: set SameSite=None and secure for ice.push.browser cookie

      Case Description: How to set SameSite=None and secure for "ice.push.browser" cookie from our application. Please help on this. Because our application will not support from chrome 80 onwards as browser will restrict the cross domain cookies without SameSite=None and secure.

        Activity

        Ken Fyten created issue -
        Ken Fyten made changes -
        Field Original Value New Value
        Assignee Mircea Toma [ mircea.toma ]
        Fix Version/s EE-3.3.0.GA_P08 [ 13293 ]
        Fix Version/s EE-4.3.0.GA_P02 [ 13292 ]
        Fix Version/s EE-1.8.2.GA_P11 [ 13275 ]
        Affects Version/s EE-3.3.0.GA_P07 [ 13118 ]
        Affects Version/s EE-1.8.2.GA_P10 [ 13089 ]
        Affects Version/s EE-1.8.2.GA_P11 [ 13275 ]
        Affects Version/s EE-3.3.0.GA_P08 [ 13293 ]
        Assignee Priority P1 [ 10010 ]
        Hide
        Mircea Toma added a comment - - edited

        When ICEpush is initialised it will always connect back to the same site where the page (that initialised it) was loaded from. Because of that ice.push.browser will always be used as a first-party cookie.
        Also, there aren't any ICEpush resources that can be referenced from a different site that can be accessed through a GET request, nor ICEpush care to have ice.push.browser cookie set as a third-party cookie to track its usage on other sites.

        For that matter we could create ice.push.browser with SameSite=Strict and ICEpush should still work in any deployment. Since we do not specify SameSite cookie attribute it defaults to Lax. And finally, setting ice.push.browser with SameSite=None it's not possible because that would force it to also be Secure which will cripple deployments where a reverse proxy (as load balancer) is setup.

        Show
        Mircea Toma added a comment - - edited When ICEpush is initialised it will always connect back to the same site where the page (that initialised it) was loaded from. Because of that ice.push.browser will always be used as a first-party cookie. Also, there aren't any ICEpush resources that can be referenced from a different site that can be accessed through a GET request, nor ICEpush care to have ice.push.browser cookie set as a third-party cookie to track its usage on other sites. For that matter we could create ice.push.browser with SameSite=Strict and ICEpush should still work in any deployment. Since we do not specify SameSite cookie attribute it defaults to Lax . And finally, setting ice.push.browser with SameSite=None it's not possible because that would force it to also be Secure which will cripple deployments where a reverse proxy (as load balancer) is setup.
        Mircea Toma made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]
        Ken Fyten made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Ken Fyten
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: