One of our ADFS admins recently sounded the alarm that Google is changing the way browser cookies are handled in Chrome 80. The changes are intended as a security measure to reduce the threat of malicious cookie tracking. However, the change also disrupts legitimate sites. Here are few articles that describe the problem as Microsoft and other describe it.
We were asked to test our employee site with Chrome Beta 80 to see how this change would impact our customers. We quickly discovered that at least one major site produced this error:
Checking on Chrome's website, the flags that control this behavior are:
LegacySameSiteCookieBehaviorEnabled - link text
LegacySameSiteCookieBehaviorEnabledForDomainList - link text
On the Windows side, I put a group policy together that allows the site to work correctly. It sets the following registry values.
On the Mac side, I've been asked by management to apply the same fix, and it isn't working. Here were my steps.
1) On a clean test machine, copied and editing the com.google.Chrome.plist with Xcode to include the following values.
2) Converted the PLIST to XML - plutil -convert xml1 ExampleBinary.plist -and uploaded the PLIST into a new JAMF Configuration Profile
3) Scoped and deployed the Configuration Profile to a test machine and confirmed that the com.google.Chrome.plist updated with the new SameSite Cookie values in Library/Managed Preferences and Library/Manage Preferences/User
There were no errors or issues with this process, it intially appeared to work exactly as expected. Other than one big problem, the browser behavior in Chrome doesn't change and the websites still do not work.
If I manually disable "SameSite by default cookies" in chrome://flags/ the website works, but my PLIST has no effect at all.
Any suggestions on what I could be doing differently would be very much appreciated. Thank you in advance!
I am just working on this but looking at
It seems like one needs to pick one key or the other. We are looking at using the
key and filling the array like:
<key>LegacySameSiteCookieBehaviorEnabledForDomainList</key> <array> <string>www.example.com</string> <string>[*].example.edu</string> </array>
My wild guess is that on macOS the second key overrides the first one (being more restrictive) and you are not providing an array but a simple bool so just sees that there is nothing on the allowed list. That said I am still testing to see if I can get a working profile for JAMF to deliver and I could be wildly wrong 🙂 and if anyone has better info please post. I was hoping that Profile Creator.app would have this setting which is under the Content Settings group but it does not.
Thank you for thour insight, @ega
I guess I read it differently. I was thinking...
The "LegacySameSiteCookieBehaviorEnabled" (boolean) option would need to be enabled (1/YES/TRUE)
and THEN you defined the domains to enable in the second (array) option.
<key>LegacySameSiteCookieBehaviorEnabledForDomainList</key> <array> <string> [*.]my-intranet-domain</string> <string> [*.]my-external-domain</string> </array>
I'm still not sure how these 2 policy settings correspond to the manual flag options in Chrome (see screenshot).
After testing, it appears the first option ('LegacySameSiteCookieBehaviorEnabled') is an integer, NOT a boolean. This value must be '1' or '2':
1 = Revert to legacy SameSite behavior for cookies on all sites
2 = Use SameSite-by-default behavior for cookies on all sites
If more granular controls are needed on a per-domain basis, then the array ('LegacySameSiteCookieBehaviorEnabledForDomainList') must be configured.
Clear as mud!
Yeah and my understanding was incorrect. LegacySameSiteCookieBehaviorEnabled with a value of '1' does not require the domain list preference, because it just reverts the cookie behavior on all sites. LegacySameSiteCookieBehaviorEnabledForDomainList is for when you want to be more selective about legacy cookie behavior. But both can be used together.
@dstranathan in your testing if only LegacySameSiteCookieBehaviorEnabledForDomainList is populated with a domain list is there any need for LegacySameSiteCookieBehaviorEnabled at all? It looks like just populating the array implies the same as LegacySameSiteCookieBehaviorEnabled with an int value of 1 but restricted to the sites listed in the array. Hoping you see thru mud better than I do...
Heh, never mind @aporlebeke has a good description in the new preference for Chrome in Profile Creator
Cookies set for domains matching these patterns will revert to legacy SameSite behavior. For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be used either from the LegacySameSiteCookieBehaviorEnabled policy, if it is set, or the user's personal configuration otherwise.
Apologies in advance as I have yet to personally attempt to manage macOS Chrome settings.
Can someone describe in detail the .plist/xml file that needs to be created and where on the drive it needs to be located?
It seems like I missed the memo and a lot of these steps seem to be assumed. Thanks!