Manage Chrome Settings - "LegacySameSiteCookieBehaviorEnabled"

LisaCray
New Contributor

One of our ADFS admins recently sounded the alarm that Google is changing the way browser cookies are handled in Chrome 80. The changes are intended as a security measure to reduce the threat of malicious cookie tracking. However, the change also disrupts legitimate sites. Here are few articles that describe the problem as Microsoft and other describe it.

• Cross-Site and Same-Site Cookie Changes link text
• Potential disruption to customer websites link text
• January 14, 2020—KB4534273 link text

We were asked to test our employee site with Chrome Beta 80 to see how this change would impact our customers. We quickly discovered that at least one major site produced this error:

7d54064c4051457db8444e784f7cc9bc

Checking on Chrome's website, the flags that control this behavior are:

LegacySameSiteCookieBehaviorEnabled - link text

LegacySameSiteCookieBehaviorEnabledForDomainList - link text

On the Windows side, I put a group policy together that allows the site to work correctly. It sets the following registry values.

[HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome]
"LegacySameSiteCookieBehaviorEnabled"=dword:00000001
"LegacySameSiteCookieBehaviorEnabledForDomainList"=dword:00000001

On the Mac side, I've been asked by management to apply the same fix, and it isn't working. Here were my steps.

1) On a clean test machine, copied and editing the com.google.Chrome.plist with Xcode to include the following values.

6185f33d97fb4925bf34f28fb96e1f6f

2) Converted the PLIST to XML - plutil -convert xml1 ExampleBinary.plist -and uploaded the PLIST into a new JAMF Configuration Profile

3) Scoped and deployed the Configuration Profile to a test machine and confirmed that the com.google.Chrome.plist updated with the new SameSite Cookie values in Library/Managed Preferences and Library/Manage Preferences/User

There were no errors or issues with this process, it intially appeared to work exactly as expected. Other than one big problem, the browser behavior in Chrome doesn't change and the websites still do not work.

If I manually disable "SameSite by default cookies" in chrome://flags/ the website works, but my PLIST has no effect at all.

Any suggestions on what I could be doing differently would be very much appreciated. Thank you in advance!

14 REPLIES 14

anniwayy
New Contributor III

Hi LisaCray, have you been able to solve it? i see the same.

ThijsX
Valued Contributor
Valued Contributor

@LisaCray

For me it seems to work, i mean setting the setting in the correct way.

cd83bc7efd914463a4bbdb0eeae2f2c4

ega
Contributor III

I am just working on this but looking at https://cloud.google.com/docs/chrome-enterprise/policies/?policy=LegacySameSiteCookieBehaviorEnabled...
It seems like one needs to pick one key or the other. We are looking at using the

LegacySameSiteCookieBehaviorEnabledForDomainList

key and filling the array like:

    <key>LegacySameSiteCookieBehaviorEnabledForDomainList</key>
            <array>
                <string>www.example.com</string>
                <string>[*].example.edu</string>
            </array>

My wild guess is that on macOS the second key overrides the first one (being more restrictive) and you are not providing an array but a simple bool so just sees that there is nothing on the allowed list. That said I am still testing to see if I can get a working profile for JAMF to deliver and I could be wildly wrong :-) and if anyone has better info please post. I was hoping that Profile Creator.app would have this setting which is under the Content Settings group but it does not.

apizz
Valued Contributor

@ega I'll see about getting this added soon to ProfileCreator, just have a lot of different things going on ATM. I hadn't kept up with Chrome development, but this is applicable for us too. Thanks for the info & the PR

dstranathan
Valued Contributor II

Thank you for thour insight, @ega

I guess I read it differently. I was thinking...

The "LegacySameSiteCookieBehaviorEnabled" (boolean) option would need to be enabled (1/YES/TRUE)

and THEN you defined the domains to enable in the second (array) option.

<key>LegacySameSiteCookieBehaviorEnabledForDomainList</key>
    <array>
    <string> [*.]my-intranet-domain</string>
    <string> [*.]my-external-domain</string>
    </array>

I'm still not sure how these 2 policy settings correspond to the manual flag options in Chrome (see screenshot).

97c06e72979a4e57bf9198bd7c156058

Thoughts?

apizz
Valued Contributor

@dstranathan that was my thought as well. Have to set the enable pref first in order to respect the domain list

dstranathan
Valued Contributor II

After testing, it appears the first option ('LegacySameSiteCookieBehaviorEnabled') is an integer, NOT a boolean. This value must be '1' or '2':

1 = Revert to legacy SameSite behavior for cookies on all sites
2 = Use SameSite-by-default behavior for cookies on all sites

If more granular controls are needed on a per-domain basis, then the array ('LegacySameSiteCookieBehaviorEnabledForDomainList') must be configured.

Clear as mud!

apizz
Valued Contributor

Yeah and my understanding was incorrect. LegacySameSiteCookieBehaviorEnabled with a value of '1' does not require the domain list preference, because it just reverts the cookie behavior on all sites. LegacySameSiteCookieBehaviorEnabledForDomainList is for when you want to be more selective about legacy cookie behavior. But both can be used together.

apizz
Valued Contributor

ProfileCreator has been updated, so you can quit & reopen to see these added preferences for Chrome

ega
Contributor III

@dstranathan in your testing if only LegacySameSiteCookieBehaviorEnabledForDomainList is populated with a domain list is there any need for LegacySameSiteCookieBehaviorEnabled at all? It looks like just populating the array implies the same as LegacySameSiteCookieBehaviorEnabled with an int value of 1 but restricted to the sites listed in the array. Hoping you see thru mud better than I do...

ega
Contributor III

Heh, never mind @aporlebeke has a good description in the new preference for Chrome in Profile Creator

Cookies set for domains matching these patterns will revert to legacy SameSite behavior. For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be used either from the LegacySameSiteCookieBehaviorEnabled policy, if it is set, or the user's personal configuration otherwise.

dstranathan
Valued Contributor II

Thanks @aporlebeke - Looks good!

5e4d45b35c9f49d2a46d77b5948469b1

apredmore
New Contributor II

I am confused on how to implement this fix. Is there a step by step or something I can download and import into Jamf?

druocco
New Contributor III

Apologies in advance as I have yet to personally attempt to manage macOS Chrome settings.
Can someone describe in detail the .plist/xml file that needs to be created and where on the drive it needs to be located?
It seems like I missed the memo and a lot of these steps seem to be assumed. Thanks!