[jira] [Work logged] (KNOX-2387) KnoxSSO broken on recent Chrome browsers (version > 80)

Tue, 16 Jun 2020 22:23:21 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2387?focusedWorklogId=447072&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-447072
 ]

ASF GitHub Bot logged work on KNOX-2387:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 17/Jun/20 05:22
            Start Date: 17/Jun/20 05:22
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on pull request #347:
URL: https://github.com/apache/knox/pull/347#issuecomment-645158025


   So, as far as I understood Chrome made the default behavior more secure by 
setting the default to `Lax`. With this change, we blindly set this to `None` 
to be backward compatible. At least, I'd introduce a provider parameter for 
this purpose to allow end-users to control it like this:
   
   1. in the `init()` method I'd parse the newly introduced 
`knoxsso.cookie.samesite` and save it to a class member
   2. in `addJWTHadoopCookie` I'd check if it's set and use the custom value or 
default to `None`
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 447072)
    Time Spent: 40m  (was: 0.5h)

> KnoxSSO broken on recent Chrome browsers (version > 80)
> -------------------------------------------------------
>
>                 Key: KNOX-2387
>                 URL: https://issues.apache.org/jira/browse/KNOX-2387
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: KnoxSSO
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 1.4.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Google chrome changed the default behavior of SameSite parameter in 
> Set-Cookie header from None to Lax. This causes partial breakage of Knox SSO. 
> Details about Chrome browser feature - 
> [https://www.chromestatus.com/feature/5088147346030592]
> How it affects - 
> [https://support.okta.com/help/s/article/FAQ-How-Chrome-80-Update-for-SameSite-by-default-Potentially-Impacts-Your-Okta-Environment]
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to