Google Chrome 80 will roll out an incompatible change regarding the “SameSite” cookie attribute starting Feb 17, 2020. All cross-domain browser scenarios, regardless of GRAVITY, could be critically affected.

In this blog, we would like to inform you on the technical background, the affected scenarios and provide a solution of the problem.

This blog focuses on scenarios containing GRAVITY for Web in Google Chrome scenarios.

Issue description

The “SameSite” attribute of cookies controls the cross-domain behavior of cookies. See this article for details: SameSite cookies explained. Up to now, all browsers had the implicit default SameSite=None, which imposes no restriction on cross-domain cookies.

Google will activate a stricter cookie handling starting February 17, 2020 in Chrome version 80. With that change, the browser will use the cookie attribute SameSite=Lax as default if no value is explicitly specified by the server. In addition, the browser will require the Secure attribute in case SameSite=None is provided by the server.

The reasoning behind this change is to provide protection against cross-site request forgery (CSRF) attacks.

The problem with this change is that many applications integrate different web sites within a single Chrome (80) window and rely on cross-domain cookies. Such scenarios may not work properly with the changed default unless the cookie attribute is set explicitly by the application server.  See Developers: Get Ready for New SameSite=None Cookie Settings.

Affected scenarios

All scenarios that integrate GRAVITY with web services from different registrable domains within a single Chrome (80) browser window are potentially affected. We currently know of the following affected scenarios, but there may be more:

• Logon and single sign-on of the user account (GRAVITY will be not be displayed at all)

Solution / Workaround

The first way to revert to the old behavior is to configure the way the browser handles cookies. Google recommends using Cookie Legacy SameSite Policies to achieve this. This solution has certain advantages:

• Central roll-out to corporately managed devices (Windows, Mac, Android) is possible. For example, on Windows the roll-out involves just setting one registry entry.
• Solves all issues, not just ABAP-based application servers.
• Stricter cookie policies that may be implemented in the future are not invalidated.

It is also possible to configure individual Chrome browser installations to retain the legacy behavior for cookies by setting both flags to “Disabled”:

chrome://flags/#same-site-by-default-cookies

and

chrome://flags/#cookies-without-same-site-must-be-secure

(copy these links into the address bar or the browser).

Due to the far-reaching impact of this Chrome 80 cookie handling change, we recommend to test and analyze any other browser based-integration applications (besides GRAVITY) you might have; eg. single-sign-on using an external SAML provider. Pure intranet scenarios using a single common domain name (like *.acme.corp) are not affected.

More Information

• Tips for testing and debugging SameSite-by-default and “SameSite=None; Secure” cookies

• Chrome SameSite Change Breaks Our IdentityServer3 Azure Active Directory Login