Imperva Product Updates - Chromium SameSite Cookie Attribute Update

By Ira Miga posted 25 days ago

  


As of February 2020, Google Chrome and other Chromium-based browsers have stopped sending third-party cookies in cross-site requests unless the cookies are secured and flagged using an IETF standard called SameSite. This article provides an information for Imperva On-Prem WAF customers about the change and how to make sure this functionality is supported.


The SameSite cookie attribute gives websites control over how to handle their cookies, specifically by not sending cookies to third-party sites. In allowing our customers to control where cookies are sent, their application will be protected against CSRF since an attacker cannot obtain information about a user's session.

In February, 2020 a release to Chromium updated the behaviour of all Chromium-based browsers (Chrome version 80). Content from third-party websites (images, iframes, etc.) on original website pages can no longer access third-party website cookies unless those cookies are appropriately secured and flagged according to the IETF SameSite standard.

Changes:

  •         Cookies without a SameSite attribute are treated as SameSite=Lax; meaning the default behavior will be to restrict cookies to first party contexts only.
  •         Cookies for cross-site usage must specify SameSite=None; Secure to enable inclusion in third-party context.

These changes mean that if a customer is using cookies that need to be sent by a third-party (cross-site) cookies sent must be updated to the format above.

 An additional attribute, Secure, restricts cross-site cookie access to secure HTTPS connections. If these changes are not made, cookies will be treated as restricted to first-party only (only to websites from which request originates).

Mozilla and Microsoft have also signaled their intention to implement a similar model in Firefox and Edge (no ETA to date). 

 Customers can check their websites against the new SameSite attributes behaviour by following these steps.

The Developer Tools console also provides warnings when a page contains cross-site cookies that are missing the required settings. 

 

Imperva On-Prem WAF Customers using the following features are affected by this change:

If in Reverse Proxy Mode

If in Bridge Mode

·         More than one Reverse Proxy rule is used

·         URL-Rewrite configured on the response

·         Cookie Signing Policy is in use

·         ThreatRadar Bot Protection

·         ATO

·         HSTS

·         ThreatRadar Bot Protection

·         ATO

 


Imperva recommends upgrading to version 13.6.0.35 in order to guarantee support for this functionality.

How to check if one of these features is in use:

 

  1. More than one Reverse Proxy rule is used:

Go to Setup → Sites → Relevant Service → Reverse Proxy

Check if more than one reverse proxy rule is configured:

Capture.png
     2. 
URL-Rewrite configured on the response:

Go to Setup → Global Objects → URL Rewrite Groups

Check if at least one of the rules is configured to be applied on the Response:

Capture2.png

 
   3. Cookie Signing Policy is in use:

Cookie Signing Policy is enabled and applied under Policies → Security:

Capture3.png 
   4. ThreatRadar Bot Protection

ThreatRadar → Dashboard:
Capture4.png   
5. ATO

ThreatRadar → Dashboard

Check if Account Takeover Protection appears in the list:

Capture5.png

    6. HSTS

Go to Setup → Gateways → Relevant Gateway Group

Expand Advanced Configuration

Check if HSTS is configured

For Example:

Capture6.png

Additional information is available here:

https://blog.heroku.com/chrome-changes-samesite-cookie

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

https://forums.aws.amazon.com/ann.jspa?annID=7413

 


#On-PremisesWAF(formerlySecuresphere)
3 comments
1465 views

Permalink

Comments

23 days ago

Thanks

23 days ago

Hi itzik benabu,

Threat Radar Bot Protection and ATO are features that are using data tampering, meaning the request is regenerated by On-Prem WAF in case one of these features is in use. On-Prem WAF removes SameSite cookie when the request is regenerated. To prevent this behaviour latest version 13.6.0.35 as described in the blog should be used.
Hope it's helpful!

24 days ago

Hi,
I working in bridge mode I understand what the samesite cookie from the client-side can you explain what ThreatRadar Bot Protection and ATO do with this parameter?

thanks,
Itzik