[
https://issues.apache.org/jira/browse/KNOX-2387?focusedWorklogId=447214&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-447214
]
ASF GitHub Bot logged work on KNOX-2387:
----------------------------------------
Author: ASF GitHub Bot
Created on: 17/Jun/20 10:48
Start Date: 17/Jun/20 10:48
Worklog Time Spent: 10m
Work Description: moresandeep commented on pull request #347:
URL: https://github.com/apache/knox/pull/347#issuecomment-645300250
> So, as far as I understood Chrome made the default behavior more secure by
setting the default to `Lax`. With this change, we blindly set this to `None`
to be backward compatible. At least, I'd introduce a provider parameter for
this purpose to allow end-users to control it like this:
>
> 1. in the `init()` method I'd parse the newly introduced
`knoxsso.cookie.samesite` and save it to a class member
> 2. in `addJWTHadoopCookie` I'd check if it's set and use the custom value
or default to `None`
The history of this fix in chrome is terrible (atleast from test this fix),
the update is rolled back for the time being (until Covid-19) because it was
causing a lot of websites to break.
Details: [Google is temporarily rolling back Chrome’s SameSite cookie
requirements
](https://www.theverge.com/2020/4/3/21207248/chrome-samesite-cookie-roll-back-update-privacy-settings)
By changing `SameSite=none` we are not making it insecure, this is why:
1. This is a legit use-case for `SameSite=none`, we are a third-party cookie
used for SSO login and this cookie is required for proper SSO functioning.
2. This is how it works in FF currently so anyone using FF will be using
`SameSite=none`.
3. Okta which is an IdP [updated it's
cookies](https://support.okta.com/help/s/article/FAQ-How-Chrome-80-Update-for-SameSite-by-default-Potentially-Impacts-Your-Okta-Environment)
to `SameSite=none`.
By adding a param to let users control it IMO is not required as `none` will
be the only accepted value here, any other value would break SSO.
This is some documentation on this "feature" -
https://www.chromestatus.com/feature/5088147346030592
This is a good writeup on this issue -
https://support.okta.com/help/s/article/FAQ-How-Chrome-80-Update-for-SameSite-by-default-Potentially-Impacts-Your-Okta-Environment
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 447214)
Time Spent: 50m (was: 40m)
> KnoxSSO broken on recent Chrome browsers (version > 80)
> -------------------------------------------------------
>
> Key: KNOX-2387
> URL: https://issues.apache.org/jira/browse/KNOX-2387
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Fix For: 1.4.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Google chrome changed the default behavior of SameSite parameter in
> Set-Cookie header from None to Lax. This causes partial breakage of Knox SSO.
> Details about Chrome browser feature -
> [https://www.chromestatus.com/feature/5088147346030592]
> How it affects -
> [https://support.okta.com/help/s/article/FAQ-How-Chrome-80-Update-for-SameSite-by-default-Potentially-Impacts-Your-Okta-Environment]
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
