Chromium 80 update will impact some implementations of JasperReports Server
Article ID: 145486
Updated On:
Products
Issue/Introduction
In mid-February 2020, a change will be pushed by the developers of the Chromium engine to all browser installations which implement it.
Popular browsers using Chromium, impacted by this change:
- Google Chrome (certified for use with Jaspersoft)
- Microsoft Edge (certified for use with Jaspersoft)
- Opera (not certified for use with Jaspersoft)
- Select others (not certified for use with Jaspersoft)
**Apple Safari and Mozilla Firefox DO NOT use Chromium (although both browser teams have their own plans to implement similar rules in the future).
For affected Chromium browsers, this change will enforce NEW rules on websites, particularly those loading content from multiple domains at once.
Jaspersoft administrators and users should be aware of this change, and understand its impacts on their implementations.
The following brief questionnaire should help clarify whether or not your installation will be impacted immediately by this change to your end users' browsers.
| Question | Answer | Action |
|---|---|---|
1. Errors Indicating You Are Impacted? Are you seeing the following error in your browser console when loading pages containing embedded content from JasperReports Server?
A cookie associated with a cross-site resource at
http://www.example.com/ was set without the `SameSite`
attribute. It has been blocked, as Chrome now only
delivers cookies with cross-site requests if they are
set with `SameSite=None` and `Secure`. You can review
cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592
and
https://www.chromestatus.com/feature/5633521622188032.
|
No | Please proceed to Question #2 |
| Yes | Your implementation is already impacted by this change, and will need to be modified/updated. Please skip the 2 remaining questions in this questionnaire, and read all the details in the sections below. | |
| 2. Embedded? Are you embedding JasperReports Server in another web application? For example, are you exposing its functionality using our Visualize.js JavaScript API, or REST API, or possibly iFrames in the pages of another application or site? | No | Your JasperReports Server installation will not require any changes |
| Yes | Please proceed to Question #3 | |
| 3. Combining Multiple Domains? Is the domain used by your JasperReports Server DIFFERENT from the domain used by the application in which it is embedded? (Example: the domain name for your JasperReports Server is "somecompany.com", and it is embedded in another application whose domain is "mycompany.com" | No | Your JasperReports Server installation will not require any changes |
| Yes | Your implementation may need to be modified/updated. Please read all the details below. |
Cause
What is cross site cookie blocking?
In February 2020, Google Chrome was the first browser to implement additional checks on cookies related to cross site interactions. Other browsers are planning to also introduce this check.
“Cross site” for a browser means a web page from site A (www.example.com)accessing pages and resources (ie. REST calls, images) on site B (www.myapp.com).
Below is an example of an exception in the Google Chrome browser console with the cross site cookie blocking:
A cookie associated with a cross-site resource at http://www.example.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
What this means is that all received cross site cookies must have the “SameSite=None; Secure” flags set on those cookies and that the cookies must be received over HTTPS - the implication of the Secure flag.
Effect on JasperReports Server
JasperReports Server is often accessed in a cross site manner from browsers when embedding:
-
Jaspersoft web pages in iFrames
-
Visualize.js
-
REST calls through JavaScript
-
Authentication, Single sign on
An example of cross site access is the Jaspersoft visualize.js samples like:
The page from the jsfiddle.net site is executing the HTML and JavaScript in the visualize sample and is pointing to a public JasperReports Server:
<script src="https://mobiledemo.jaspersoft.com/jasperserver-pro/client/visualize.js"></script>
Blocking cross site cookies will stop the use of embedded Jaspersoft. Jaspersoft uses a JSESSIONID cookie to indicate successful login and establish a logged in user session and other cookies which will be affected by cookie blocking.
Resolution
How to address cross site cookie blocking for Jaspersoft
There are several ways to address this cookie blocking:
Option 1 (not yet available, coming shortly).
Hot Fixes (not yet available)
As of February 19th, 2020, Jaspersoft Engineering is developing hot fixes for all currently supported, SECURE versions of JasperReports Server (7.5.0, 7.2.0, 7.1.1, 6.4.4). These patches should be available in the next several weeks. We will publish these hot fixes via our Customer Portal (https://support.tibco.com/), and notify customers when they are generally available.
In the meantime, we strongly suggest customers review and apply either of the interim solutions in Options 2 or 3 below.
These hot fixes will add the SameSite=none; Secure flags on cookies from JasperReports Server.
They will also provide additional processing in the external authentication framework used for single sign on (SSO).
https://community.jaspersoft.com/documentation/tibco-jasperreports-server-authentication-cookbook/v750/external-authentication
The changes will not affect the API or Spring level configuration. However, if your external authentication implements a Filter.doFilter method or overrides JrsAuthenticationSuccessHandler.onAuthenticationSuccess, please review JSCasProcessingFilter and JrsAuthenticationSuccessHandler to see whether your external authentication, as they will need to be updated.
The Secure flag on the cookies requires them to be served over HTTPS, so JasperReports Server will ONLY be accessible from the browser via HTTPS. This will be a requirement imposed by the browsers moving forward. This is regardless of whether the web page embedding the cross site content is served using HTTP, like in an intranet.
HTTPS (SSL) can be enabled on JasperReports Server. See:
Alternatively, HTTPS (SSL) can be enabled in a proxy/load balancer between the browser and JasperReports Server to meet the HTTPS requirement. SSL termination at the proxy/load balancer will remove the need for JasperReports Server to implement HTTPS.
Again, we will soon publish hot fixes/patches which will automatically add the required cookies. In the meantime, once again, please review and apply either of the interim solutions in Options 2 or 3 below.
Option 2.
Do not access Jaspersoft in a “cross site” manner.
Jaspersoft can be accessed through a proxy, so your web site and Jaspersoft appear under a single web domain and therefore Jaspersoft access is not a cross site. If you have embedded Jaspersoft in a cross site way, changing to proxying will require changes to your environment (implementing and configuring a proxy service) and your application.
See Best Practices for deploying JasperReports Server into your web application | Jaspersoft Community
Another way to avoid cross site access is to use the same Web domain for your application and Jaspersoft. ie.
- www.myapp.com for your application
- jaspersoft.myapp.com for JasperReports Server
Option 3.
For HTTPS installations ONLY: Insert necessary cookies to support cross-site references via configuration of your application server (works for later versions of application servers).
*BOTH* of the following cookies, SameSite=none and Secure, need to be inserted for this to work.
Required Cookie #1: SameSite=none
For certain recent versions of application servers, it is possible to configure the cookie processor to insert the SameSite Cookie (examples: Tomcat versions 8.5.48 (not yet certified by Jaspersoft), 9.0.30 (not yet certified by Jaspersoft) and higher).
Apache Tomcat: The most popular application server among our customers is Tomcat. To insert the SameSite=none cookie for all pages in Tomcat:
- Go to the {JRS WAR}/META-INF/context.xml file.
- Add the following line within the context tag:
<CookieProcessor sameSiteCookies="strict" className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" /> - Save the edited context.xml file
- Restart Tomcat
To read more about this option:
https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html
Other application servers: Similar options may be available in other application servers. Please consult the documentation for your selected server.
Required Cookie #2: Secure
To implement the "Secure" cookie across ALL pages served by the application server containing JasperReports Server:
Apache Tomcat Instructions (most popular among Jaspersoft customers):
- Go to the "conf" directory of your Tomcat installation (ex: apache_tomcat\conf)
- Open the web.xml file
- Add the following to the "session-config" section:
<cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> - Save the edited web.xml file
- Restart Tomcat
Other application servers:
Similar options may be available in other application servers. Please consult the documentation for your selected server.
Additional Information
Feedback
