Cookie handling in Chrome 80

Zachary_Hinkle · January 24, 2020, 7:39pm

Category: Announcements, PureCloud Integrations

Summary: Chrome 80 Changes in Default Behavior of Cookies

Context: Google is enhancing privacy controls and to help mitigate some forms of browser attacks such as Clickjacking and Cross-site Request Forgery (CSRF)

Impact: There is no direct impact to authorized usage of the PureCloud API and other integration points. This announcement serves as general advisement to the Genesys developer community that web applications in chrome may behave differently as of Chrome 80. Web applications that set their own cookies, particularly those loaded into PureCloud as apps, should be reviewed to understand the impact Chrome's change will have on them.

Date of Change: February 4th, 2020 or shortly after

Additional Information

On February 4, 2020, Google is planning to release Chrome 80 that will change its default behavior of cookies. This change is being made to eventually enhance privacy controls and to help mitigate some forms of browser attacks (e.g. Clickjacking and CSRF). Other browser vendors such as Mozilla (Firefox) and Microsoft (Edge) have signaled intent to ship similar changes; however, their time frame has not yet been identified.

Traditionally, by default, cookies have been sent with all applicable requests, regardless of the origin of that request. This upcoming change will alter that default behavior; causing cookies to be sent in a limited manor when requested cross-site. If your application uses cookies in any capacity (Set-Cookie headers or via JavaScript), we recommend you investigate this upcoming change immediately. If your application spans domains, uses redirects, is embedded in another application, or embeds other applications (iframes), this change is more likely to impact you.

This notice is intended as a general announcement and you should read the full details on the Official blog post from the Chromium team. The PureCloud team also urges you to evaluate each of your cookies carefully and individually to ensure you're specifying the correct behavior. Also, care should be taken to ensure all your supported User Agents will handle the new cookie syntax; utilizing fallbacks and other protections as needed.

The following resources may help you to better understand the issue and prepare your software for the upcoming release:

jcp · January 27, 2020, 12:12pm

Does this have direct implications for pre-built embeded integrations of

PureCloud for Zendesk
PureCloud for SalesForce
i.e. using the integration as is with just the standard package options already documented.

Cheers,
Jean-Christophe

Zachary_Hinkle · January 27, 2020, 1:41pm

@Richard.Schott - Can you address @jcp's question?

Richard.Schott · January 27, 2020, 2:34pm

We will be addressing these issues as part of the ongoing development and maintenance of Genesys produced features. The intent is that any changes required to continue using our embedded clients will be transparent to end users and developers, requiring little to no input required on their part.

jcp · January 29, 2020, 1:00pm

Thanks for the clarification.
I suspect the same goes for Embeddable Framework public or private ?
Is the best way to raise queries through the dev forum in a first stage before support ?

Many thanks,
Jean-Christophe

tim.smith · January 29, 2020, 7:14pm

The same standard applies to this issue as any other. If you need to report a bug, please open a case with PureCloud Care. If you have questions about using the embeddable framework, please post on the forum.

sirecki · January 31, 2020, 2:31pm

Hi, Our QA team have tested eMite (embedded within PureCloud) with a beta version of the upcoming Chrome 80.

SSO seems to be failing and we are not sure what the route cause is. Current theories are:

We might be using a bad beta version of Chrome 80
Since eMite is embedded as an iFrame within PureCloud there might be some new iFrame tags requiring support from the Genesys side…

Have other AppFoundry partners tested this? And have they encountered issues? In theory it should work as we have our own cookies.

Zachary_Hinkle · January 31, 2020, 2:43pm

@Justin_Ray - Can you take a look asap?

Justin_Ray · January 31, 2020, 4:28pm

Thanks for reaching out @sirecki.

The issue you're seeing regarding SSO when embedded in PureCloud is indeed an issue with Chrome 80 and cross-site cookies. We had previously identified and fixed this issue; it just hasn't been deployed yet. I expect that change to land today, but it could bleed into Monday if we encounter any issues.

In the mean time, it would be good to audit any cookies you are using in your UI. Since you'll be embedded inside an iframe in PureCloud, you will be considered cross-site. Thus, you'll need to set SameSite=None on any cookies you need to read/send in that context. But, be sure to evaluate each cookie individually to decide if it should be None, Lax, or Strict. Also, be mindful of User Agent compatibility with this new attribute. Check the previously posted links on compatibility for full details.

Please let us know if you encounter any other issues.

Thanks,
Justin

system · April 3, 2020, 4:28am

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.