Help

Manage Chrome Settings - "LegacySameSiteCookieBehaviorEnabled"

LisaCray
New Contributor

Posted on ‎01-16-2020 08:47 AM

One of our ADFS admins recently sounded the alarm that Google is changing the way browser cookies are handled in Chrome 80. The changes are intended as a security measure to reduce the threat of malicious cookie tracking. However, the change also disrupts legitimate sites. Here are few articles that describe the problem as Microsoft and other describe it.

• Cross-Site and Same-Site Cookie Changes link text
• Potential disruption to customer websites link text
• January 14, 2020—KB4534273 link text

We were asked to test our employee site with Chrome Beta 80 to see how this change would impact our customers. We quickly discovered that at least one major site produced this error:

7d54064c4051457db8444e784f7cc9bc

Checking on Chrome's website, the flags that control this behavior are:

LegacySameSiteCookieBehaviorEnabled - link text

LegacySameSiteCookieBehaviorEnabledForDomainList - link text

On the Windows side, I put a group policy together that allows the site to work correctly. It sets the following registry values.

[HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome]
"LegacySameSiteCookieBehaviorEnabled"=dword:00000001
"LegacySameSiteCookieBehaviorEnabledForDomainList"=dword:00000001

On the Mac side, I've been asked by management to apply the same fix, and it isn't working. Here were my steps.

1) On a clean test machine, copied and editing the com.google.Chrome.plist with Xcode to include the following values.

6185f33d97fb4925bf34f28fb96e1f6f

2) Converted the PLIST to XML - plutil -convert xml1 ExampleBinary.plist -and uploaded the PLIST into a new JAMF Configuration Profile

3) Scoped and deployed the Configuration Profile to a test machine and confirmed that the com.google.Chrome.plist updated with the new SameSite Cookie values in Library/Managed Preferences and Library/Manage Preferences/User

There were no errors or issues with this process, it intially appeared to work exactly as expected. Other than one big problem, the browser behavior in Chrome doesn't change and the websites still do not work.

If I manually disable "SameSite by default cookies" in chrome://flags/ the website works, but my PLIST has no effect at all.

Any suggestions on what I could be doing differently would be very much appreciated. Thank you in advance!

Labels:
0 Kudos
Reply
14 REPLIES 14

anniwayy
New Contributor III

Posted on ‎01-28-2020 03:42 AM

Hi LisaCray, have you been able to solve it? i see the same.

Reply

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎01-28-2020 06:13 AM

@LisaCray

For me it seems to work, i mean setting the setting in the correct way.

cd83bc7efd914463a4bbdb0eeae2f2c4

Reply

ega
Contributor III

Posted on ‎02-04-2020 11:52 AM

I am just working on this but looking at https://cloud.google.com/docs/chrome-enterprise/policies/?policy=LegacySameSiteCookieBehaviorEnabled...
It seems like one needs to pick one key or the other. We are looking at using the

LegacySameSiteCookieBehaviorEnabledForDomainList

key and filling the array like:

    <key>LegacySameSiteCookieBehaviorEnabledForDomainList</key>
            <array>
                <string>www.example.com</string>
                <string>[*].example.edu</string>
            </array>

My wild guess is that on macOS the second key overrides the first one (being more restrictive) and you are not providing an array but a simple bool so just sees that there is nothing on the allowed list. That said I am still testing to see if I can get a working profile for JAMF to deliver and I could be wildly wrong :-) and if anyone has better info please post. I was hoping that Profile Creator.app would have this setting which is under the Content Settings group but it does not.

Reply

apizz
Valued Contributor

Posted on ‎02-05-2020 04:44 AM

@ega I'll see about getting this added soon to ProfileCreator, just have a lot of different things going on ATM. I hadn't kept up with Chrome development, but this is applicable for us too. Thanks for the info & the PR

Reply

dstranathan
Valued Contributor II

Posted on ‎02-05-2020 08:10 AM

Thank you for thour insight, @ega

I guess I read it differently. I was thinking...

The "LegacySameSiteCookieBehaviorEnabled" (boolean) option would need to be enabled (1/YES/TRUE)

and THEN you defined the domains to enable in the second (array) option.

<key>LegacySameSiteCookieBehaviorEnabledForDomainList</key>
    <array>
    <string> [*.]my-intranet-domain</string>
    <string> [*.]my-external-domain</string>
    </array>

I'm still not sure how these 2 policy settings correspond to the manual flag options in Chrome (see screenshot).

97c06e72979a4e57bf9198bd7c156058

Thoughts?

0 Kudos
Reply

apizz
Valued Contributor

Posted on ‎02-05-2020 10:37 AM

@dstranathan that was my thought as well. Have to set the enable pref first in order to respect the domain list

0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎02-05-2020 12:03 PM

After testing, it appears the first option ('LegacySameSiteCookieBehaviorEnabled') is an integer, NOT a boolean. This value must be '1' or '2':

1 = Revert to legacy SameSite behavior for cookies on all sites
2 = Use SameSite-by-default behavior for cookies on all sites

If more granular controls are needed on a per-domain basis, then the array ('LegacySameSiteCookieBehaviorEnabledForDomainList') must be configured.

Clear as mud!

Reply

apizz
Valued Contributor

Posted on ‎02-05-2020 03:34 PM

Yeah and my understanding was incorrect. LegacySameSiteCookieBehaviorEnabled with a value of '1' does not require the domain list preference, because it just reverts the cookie behavior on all sites. LegacySameSiteCookieBehaviorEnabledForDomainList is for when you want to be more selective about legacy cookie behavior. But both can be used together.

0 Kudos
Reply

apizz
Valued Contributor

Posted on ‎02-05-2020 04:02 PM

ProfileCreator has been updated, so you can quit & reopen to see these added preferences for Chrome

Reply

ega
Contributor III

Posted on ‎02-06-2020 12:20 PM

@dstranathan in your testing if only LegacySameSiteCookieBehaviorEnabledForDomainList is populated with a domain list is there any need for LegacySameSiteCookieBehaviorEnabled at all? It looks like just populating the array implies the same as LegacySameSiteCookieBehaviorEnabled with an int value of 1 but restricted to the sites listed in the array. Hoping you see thru mud better than I do...

0 Kudos
Reply

ega
Contributor III

Posted on ‎02-06-2020 12:26 PM

Heh, never mind @aporlebeke has a good description in the new preference for Chrome in Profile Creator

Cookies set for domains matching these patterns will revert to legacy SameSite behavior. For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be used either from the LegacySameSiteCookieBehaviorEnabled policy, if it is set, or the user's personal configuration otherwise.
0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎02-06-2020 01:29 PM

Thanks @aporlebeke - Looks good!

5e4d45b35c9f49d2a46d77b5948469b1

0 Kudos
Reply

apredmore
New Contributor II

Posted on ‎03-18-2020 01:14 PM

I am confused on how to implement this fix. Is there a step by step or something I can download and import into Jamf?

Reply

druocco
New Contributor III

Posted on ‎11-12-2020 01:49 PM

Apologies in advance as I have yet to personally attempt to manage macOS Chrome settings.
Can someone describe in detail the .plist/xml file that needs to be created and where on the drive it needs to be located?
It seems like I missed the memo and a lot of these steps seem to be assumed. Thanks!

0 Kudos
Reply