Chrome February 2020 update can break many integration which relies on cookies (which is heavily used in iframe based integration). Salesforce internally uses iframe to render VF pages on lightning, so that is broken as well as of now, till salesforce fixes it.
How does cookies work (especially in cross site or iframe - when multiple sites are involved)
E.g. let's say salesforce.com is hosting site, and inside the salesforce.com we are hosting facebook.com as an iframe.
1) user logs in to facebook.com, and upon login facebook saves the cookies about user session
2) user logs in to salesforce.com where we are hosting facebook.com iframe. When browser loads facebook in iframe, it passes the facebook cookies to facebook, so it is not challenged with username and password
This is good thing, however in certain cases if salesforce.com has bad code and/or facebook.com has vulnerable code, then facebook.com is vulnerable to cross side scripting attack.
With chrome February update, all cookies will be treated with SameSite=Lax if SameSite is not specified. Which means, in this case, browser will not send the cookies to facebook.com if it is coming from salesforce.com.
If you open facebook.com on separate browser tab, it would pass the cookies but not if embedded in any other site.
Solution
Other site will need to store the cookies with SameSite=None in order to get the old behavior.
For demo purpose, here is the Heroku web server, which stores cookies in different fashion and displays the cookies
- displayCookies.html : displays cookies belongs to this site
- storeCookies.html - stores cookies with no SameSite information (meaning it would be treated with None before February, and Lax after February release)
- storeCookiesNone.html - stores cookies with SameSite=None
- storeCookiesLax.html - stores cookies with SameSite=Lax
- storeCookiesStrict.html - stores cookies with SameSite=Strict
On Salesforce I have visualforce page, which points to displayCookies.html
Default Chrome Behavior (before February 2020)
- Scenario 1 : on browser go to storeCookies.html, then go to salesforce visual force page. This is working as expected
- Scenario 2 : on browser goto storeCookiesNone.html, then go to salesforce visual force page. This is also working as expected. as it is default behavior.
- Scenario 3 : on browser go to storeCookiesLax.html, then go to salesforce visual force page. This is removing cookies from iframe, which could cause undesired behavior.
- Scenario 4 : on browser goto storeCookiesStrict.html, then go to salesforce visual force page. This is removing cookies from iframe, which could cause undesired behavior.
Default Chrome Behavior (after February 2020)
- Scenario 1 : on browser goto storeCookies.html, then go to salesforce visual force page. This is removing cookies from iframe, which could cause undesired behavior. This would be working before February update.
- Scenario 2 : on browser goto storeCookiesNone.html, then go to salesforce visual force page. This is working as expected!
Server side code for this:
response.header("Set-Cookie","Heroku-Username=Anonymous-StoreCookie-None; Secure; SameSite=None"); response.header("Set-Cookie","Heroku-SessionId=SessionId-StoreCookie-None; Secure; SameSite=None");
- Scenario 3 : on browser goto storeCookiesLax.html, then go to salesforce visual force page. This is removing cookies from iframe, which could cause undesired behavior.
- Scenario 4 : on browser goto storeCookiesStrict.html, then go to salesforce visual force page.This is removing cookies from iframe, which could cause undesired behavior.
similar to Scenario 1
