Google are planning to release a security enhancement in February 2020 to the Chrome browser which will change the way it handles HTTP Cookies without the “SameSite” property. The SameSite property prevents the browser from sending the cookie along with cross-site requests. Chrome and the other leading browsers currently treat cookies without the “SameSite” property as if they were set to “SameSite=None” meaning the policy restriction is not enforced.
Starting in February 2020 this default is expected to change to “SameSite=Lax” meaning any web application which does not specify a SameSite policy on its cookies like Cloud Access Manager will automatically be protected by the SameSite policy.
Testing of Cloud Access Manager has not identified any compatibility issues with a typical best practice deployment however it will prevent embedding Cloud Access Manager in an Iframe which has been the default behavior for Cloud Access Manager since version 8.0. However prior to the SameSite change it was possible to allow framing by disabling the X-Fame-Options security header. This will no longer be possible.
While we do not anticipate any compatibility issues with Cloud Access Manager itself for a typical deployment, applications proxied by Cloud Access Manager will need to be tested to ensure they are not affected by the SameSite cookie change.
The new behavior can be tested in Chrome 76 and later by entering “chrome://flags/#same-site-by-default-cookies” into the address bar and changing the setting from Default to Enabled.
Further information can be found in the Chrome announcement: