Same Site by Default Cookie - Impact to Clarity

book

Article ID: 206489

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

January 2021

Those customers leveraging the embedded iframe app  like Clarity Timesheet within Rally, Jaspersoft Advance Reporting ,Configure Links to External Content With Channels using Google Chrome, we wanted to notify you of a change that will affect this integration.

Google Chrome 80 changes the default behavior of cookies in cross-domain scenarios. Chrome 80 introduces a new default value for cookie attribute: “SameSite=Lax”. (Previously, the SameSite cookie attribute defaulted to “SameSite=None”.)

 

March 2021 Onwards 

Those customers leveraging the embedded iframe app  like Clarity Timesheet within Rally, Jaspersoft Advance Reporting ,Configure Links to External Content With Channels using Google Chrome, we wanted to notify you of a change that will affect this integration.

The flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by default. In Chrome 94, the command-line flag --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure will be removed.

What Does This Mean?

The Clarity/Rally Timesheet integration or any embedded iframe integration that rely on cookies will no longer work in Chrome 91 and above. This change particularly affects – but is not limited to – custom single sign-on, and integrations using iframes. Other browser vendors have also made these same updates.

Cause

The change is due to the browser's cookie handling mechanism. Details can be found here 

Environment

All Clarity Versions 

Resolution

What Is Being Done To Resolve?

The Clarity and Rally Engineering team is developing an API Key capability to support the embedding of two products within.  The team has already done some research into this area, and working to get this fixed as feasible. Rally Engineering team is tracking this enhancement Story S206731

Is There A Workaround For The Time Being?

  • Yes, there are browser configurations that can be adjusted to allow this integration if the browsers are not upgraded to version where Same Site Cookie as the behavior is now enabled by default
  • The external application (example Rally) if logged in on another tab and at the same time opened in channel in clarity it will work as the session is established and browser will use the same session

Workaround by Browser

The remainder of this document will cover browser configurations that can be made to allow the Clarity/Rally Timesheet integration to work for lower version of Browsers 

Chrome Browser

  • Open Chrome and paste the below into the URL field – Press Enter:

chrome://flags/#same-site-by-default-cookies

  • From the drop-down list select Disabled – Click Relaunch

The Clarity/Rally Timesheet or any iframe embeded integration should now work.

 

Microsoft Edge (Chromium)

  • Open Edge and paste the below into the URL field – Press Enter:

edge://flags/#same-site-by-default-cookies

  • From the drop-down list select Disabled – Click Restart (Similar to the Chrome screen shot above)

The Clarity/Rally Timesheet or any Iframe embeded integration should now work.

Firefox Browser

  • Open Firefox and paste the following into the URL field – Press Enter:

about:config

  • If you see a ‘Proceed with Caution” warning - Click ‘Accept the Risk’ and Continue
  • Paste the below into the ‘Search preference name’ field - :

same-site-by-default-cookies

  • Click the Toggle icon to set to ‘false’:

The Clarity/Rally Timesheet or any iframe embeded integration should now work.

Safari Browser

  • Open Safari
  • Go to “Preferences > Privacy
  • Uncheck “Prevent cross-site tracking” option

The Clarity/Rally Timesheet or any iframe embeded integration should now work.

Attachments