As of February 2020, Google Chrome and other Chromium-based browsers have stopped sending third-party cookies in cross-site requests unless the cookies are secured and flagged using an IETF standard called SameSite. This article provides an information for Imperva On-Prem WAF customers about the change and how to make sure this functionality is supported.
The SameSite cookie attribute gives websites control over how to handle their cookies, specifically by not sending cookies to third-party sites. In allowing our customers to control where cookies are sent, their application will be protected against CSRF since an attacker cannot obtain information about a user's session.
In February, 2020 a release to Chromium updated the behaviour of all Chromium-based browsers (Chrome version 80). Content from third-party websites (images, iframes, etc.) on original website pages can no longer access third-party website cookies unless those cookies are appropriately secured and flagged according to the IETF SameSite standard.
Changes:
- Cookies without a SameSite attribute are treated as SameSite=Lax; meaning the default behavior will be to restrict cookies to first party contexts only.
- Cookies for cross-site usage must specify SameSite=None; Secure to enable inclusion in third-party context.
These changes mean that if a customer is using cookies that need to be sent by a third-party (cross-site) cookies sent must be updated to the format above.
An additional attribute, Secure, restricts cross-site cookie access to secure HTTPS connections. If these changes are not made, cookies will be treated as restricted to first-party only (only to websites from which request originates).
Mozilla and Microsoft have also signaled their intention to implement a similar model in Firefox and Edge (no ETA to date).
Customers can check their websites against the new SameSite attributes behaviour by following these steps.
The Developer Tools console also provides warnings when a page contains cross-site cookies that are missing the required settings.
Imperva On-Prem WAF Customers using the following features are affected by this change:
|
If in Reverse Proxy Mode
|
If in Bridge Mode
|
|
· More than one Reverse Proxy rule is used
· URL-Rewrite configured on the response
· Cookie Signing Policy is in use
· ThreatRadar Bot Protection
· ATO
· HSTS
|
· ThreatRadar Bot Protection
· ATO
|
Imperva recommends upgrading to version 13.6.0.35 in order to guarantee support for this functionality.
How to check if one of these features is in use:
- More than one Reverse Proxy rule is used:
Go to Setup → Sites → Relevant Service → Reverse Proxy
Check if more than one reverse proxy rule is configured:
2. URL-Rewrite configured on the response:
Go to Setup → Global Objects → URL Rewrite Groups
Check if at least one of the rules is configured to be applied on the Response:
3. Cookie Signing Policy is in use:
Cookie Signing Policy is enabled and applied under Policies → Security:
4. ThreatRadar Bot Protection
ThreatRadar → Dashboard:
5. ATO
ThreatRadar → Dashboard
Check if Account Takeover Protection appears in the list:
6. HSTS
Go to Setup → Gateways → Relevant Gateway Group
Expand Advanced Configuration
Check if HSTS is configured
For Example:
Additional information is available here:
https://blog.heroku.com/chrome-changes-samesite-cookie
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://forums.aws.amazon.com/ann.jspa?annID=7413
#On-PremisesWAF(formerlySecuresphere)