Access Keys:
Skip to content (Access Key - 0)

Browser security updates for cross-site cookies

Overview

  • Google Chrome version 80, released on February 4, 2020, introduces changes to its handling of cross-site (aka 3rd party) cookies.
  • For more information, see https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html
  • While specifics have not yet been finalized, Mozilla Firefox is also likely to update its defaults for cross-site cookies.
  • This change will impact some MIT services. For example, some vendor sites may need to be updated for successful handling of cross-site cookies when directing between the vendor site and the Touchstone IdP (idp.mit.edu).

Test results

MIT test results for vendor site integration with Touchstone authentication

Instructions for testing applications

Firefox

  1. Verify that you are using Firefox version 60 or higher, and are NOT using Firefox ESR.
    1. You can upgrade to the latest Firefox version at https://getfirefox.com.
    2. Note that Firefox Extended Support Release (ESR), which is available from the IST software download grid, does not currently support the updated, more secure SameSite cookie attribute configuration.
  2. Navigate to: about:config
    firefox about:config

  3. Search for "samesite".
    search for samesite

  4. Search results displays these two configurations. Set them to True:
    network.cookie.sameSite.laxByDefault
    network.cookie.sameSite.noneRequiresSecure
    set these two configs to true

Chrome

Chrome can be configured using the settings detailed below to implement the more secure cross-site cookie settings. However, Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago. This makes testing with Chrome a bit more complicated.

  1. Navigate to chrome://flags.
  2. Enable two experiments:
    1. SameSite by default cookies
    2. Cookies without SameSite must be secure
  3. Launch Chrome with this argument:

Additional information for application developers and maintainers

For sites using the Shibboleth SP software

https://wiki.shibboleth.net/confluence/display/SP3/SameSite

For sites using the SimpleSAMLphp SP software

As of version 1.17.3, new options can be configured to set a specific value for the SameSite attribute.

Note: While adding the "SameSite=None" attribute using the options described in the above link will resolve the issue for Firefox, Chrome, and some other browsers, it will break on some others, in particular Safari on all older versions of macOS and iOS.

More information is available at: https://www.chromium.org/updates/same-site/incompatible-clients

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

July 31, 2020

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki