Same Site by Default Cookie - Impact to Clarity
Article ID: 206489
Updated On:
Products
Issue/Introduction
January 2021
Those customers leveraging the embedded iframe app like Clarity Timesheet within Rally, Jaspersoft Advance Reporting ,Configure Links to External Content With Channels using Google Chrome, we wanted to notify you of a change that will affect this integration.
Google Chrome 80 changes the default behavior of cookies in cross-domain scenarios. Chrome 80 introduces a new default value for cookie attribute: “SameSite=Lax”. (Previously, the SameSite cookie attribute defaulted to “SameSite=None”.)
March 2021 Onwards
Those customers leveraging the embedded iframe app like Clarity Timesheet within Rally, Jaspersoft Advance Reporting ,Configure Links to External Content With Channels using Google Chrome, we wanted to notify you of a change that will affect this integration.
The flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by default. In Chrome 94, the command-line flag --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure will be removed.
What Does This Mean?
The Clarity/Rally Timesheet integration or any embedded iframe integration that rely on cookies will no longer work in Chrome 91 and above. This change particularly affects – but is not limited to – custom single sign-on, and integrations using iframes. Other browser vendors have also made these same updates.
Environment
All Clarity Versions
Cause
The change is due to the browser's cookie handling mechanism. Details can be found here
Resolution
What Is Being Done To Resolve?
The Clarity and Rally Engineering team is developing an API Key capability to support the embedding of two products within. The team has already done some research into this area, and working to get this fixed as feasible. Rally Engineering team is tracking this enhancement Story S206731 and fix has been implemented at Rally side on 10th Aug 2021
Is There A Workaround For The Time Being?
- Yes, there are browser configurations that can be adjusted to allow this integration if the browsers are not upgraded to version where Same Site Cookie as the behavior is now enabled by default
- The external application (example Rally) if logged in on another tab and at the same time opened in channel in clarity it will work as the session is established and browser will use the same session
Workaround by Browser
The remainder of this document will cover browser configurations that can be made to allow the Clarity/Rally Timesheet integration to work for lower version of Browsers
Chrome Browser
- Open Chrome and paste the below into the URL field – Press Enter:
chrome://flags/#same-site-by-default-cookies
- From the drop-down list select Disabled – Click Relaunch
The Clarity/Rally Timesheet or any iframe embeded integration should now work.
Microsoft Edge (Chromium)
- Open Edge and paste the below into the URL field – Press Enter:
edge://flags/#same-site-by-default-cookies
- From the drop-down list select Disabled – Click Restart (Similar to the Chrome screen shot above)
The Clarity/Rally Timesheet or any Iframe embeded integration should now work.
Firefox Browser
- Open Firefox and paste the following into the URL field – Press Enter:
about:config
- If you see a ‘Proceed with Caution” warning - Click ‘Accept the Risk’ and Continue
- Paste the below into the ‘Search preference name’ field - :
same-site-by-default-cookies
- Click the Toggle icon to set to ‘false’:
The Clarity/Rally Timesheet or any iframe embeded integration should now work.
Safari Browser
- Open Safari
- Go to “Preferences > Privacy“
- Uncheck “Prevent cross-site tracking” option
The Clarity/Rally Timesheet or any iframe embeded integration should now work.
Feedback
