Loading

Microsoft Edge Browser Release 86 Changes SameSite Cookie Behavior and Can Break Salesforce Integrations

게시 일자: Oct 13, 2022
상세 설명
Microsoft Edge is changing the default cross-domain (SameSite) behavior of cookies coinciding with the stable release of Edge 86 during the week of October 8, 2020. The SameSite changes are happening in the Chromium project, on which Microsoft Edge is based. The SameSite changes enhance security and privacy but require customers and partners to test custom Salesforce integrations that rely on cookies.

The SameSite attribute on a cookie controls its cross-domain behavior. This Chrome Platform Status explains the intent of the SameSite attribute.
“SameSite is a reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks, but developers currently need to opt in to its protections by specifying a SameSite attribute. In other words, developers are vulnerable to CSRF attacks by default. This change would allow developers to be protected by default, while allowing sites that require state in cross-site requests to opt in to the status quo’s less-secure model.”

If no SameSite attribute is specified, the Edge 86 release sets cookies as SameSite=Lax by default. Until the Edge 86 release, the default is SameSite=None. After the Edge 86 release, developers can still opt in to the status quo of unrestricted use by explicitly setting SameSite=None; Secure.

For more information, see this Chromium blog post.

Last year, Google Chrome enforced the same SameSite changes. Firefox is also changing the SameSite cookie behavior, which we've detailed in this knowledge article.
 

When Will the Microsoft Edge SameSite Changes Go Live?

This Microsoft Edge documentation indicates that the SameSite changes will coincide with the stable release of Edge 86 during the week of October 8, 2020. This change is happening in the Chromium project, on which Microsoft Edge is based. For Google’s planned timeline for the SameSite changes, see the Chromium Project’s SameSite Updates topic.

Salesforce is ready for the SameSite changes whenever the Chromium project rolls them out. If you haven't yet prepared your org for this change, please review the entirety of this article for additional information.
솔루션

What Does This Mean for Me?

These SameSite changes may require you to make changes in your org.

1. Cookies won't work for non-secure (HTTP) browser access, including any community, portal, site, or Outlook or Gmail integration in your org. Use HTTPS instead.
2. Any custom integrations that rely on cookies might no longer work in Microsoft Edge. This change particularly affects but is not limited to cross-domain communication, and integrations using iframes.


What Do I Need to Do?

1. Use HTTPS instead of HTTP
To require HTTPS access in your org, ensure that the following Session Settings in Setup are enabled. These settings are enabled by default but verify that HTTPS is required in your org.

From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.

Require secure connections (HTTPS)
Determines whether HTTPS is required to log in to or access Salesforce.
On May 1, 2020, we enforced the Require Secure HTTPS Connections critical update that required HTTPS connections to access Salesforce.

Require secure connections (HTTPS) for all third-party domains
Determines whether HTTPS is required for connecting to third-party domains.

If either of these settings is disabled, Edge users can experience disrupted functionality after the Edge 86 release.
 
To require HTTPS access in communities, portals, or sites:
a. From Setup, in the Quick Find box, enter Sites, then select Sites.
b. Click the site you want to edit, and ensure that the Require Secure Connections (HTTPS) checkbox is selected.

In Winter ’21, we removed this setting because HTTP connections are no longer permitted for authenticated requests. See this release note for more information.

To check whether your Salesforce Classic Canvas connected app works with HTTPS:
a. In Salesforce Classic, from Setup, in the Quick Find box, enter Canvas App Previewer, then select Canvas App Previewer.
b. Click the app that you want to check. If the app loads, it means that the URLs are already set to use HTTPS. If the app doesn’t load in the previewer, update the Canvas App URL and Callback URL to use HTTPS.

To update your Canvas connected app to HTTPS:
a. In Salesforce Classic, from Setup, enter Create, and then click Apps.
b. Select the Canvas connected app that you want to update.
c. In the Canvas App URL field, update the URL to use HTTPS.
d. In the Callback URL field, update the URL to use HTTPS.
e. Click Save.
f. Go back to the Canvas App Previewer and check that the app opens as expected.

Note: The first time that you navigate to the HTTPS URL, close and reopen tabs and clear your browser history.

Upgrade the LiveMessage Managed Package
Similar to other features, LiveMessage (Classic) requires that the Require Secure Connections (HTTPS) and Require secure connections (HTTPS) for all third-party domains Session Settings in Setup are enabled in your org.
 
The Edge 86 release is supported on version 4.46 or later of the managed package. If your org has an older version installed, upgrade to the latest version here.

2. Test custom Salesforce integrations that rely on cookies owned and set by your integration
Before the Edge 86 release, test any custom Salesforce integrations that rely on cookies owned and set by your integration. Test in a sandbox. If you find any regressions, update the SameSite attribute on cookies used for cross-domain communication to explicitly set SameSite=None; Secure. If you set a cookie in Apex, use the new SameSite attribute of the Cookie() constructor method.

To test the effects of the SameSite behavior on your site or cookies before Edge rolls out these changes, navigate to edge://flags. Enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments. For more information, see this Chromium blog post. The fixes in Winter '21 apply to Edge 86 and later.

Note: As you're testing your cookies, consider what's the most secure SameSite value that works for each cookie. If a cookie is intended to be accessed only in a first-party context, you can apply SameSite=Lax or SameSite=Strict to prevent external access. Explicitly setting SameSite=Lax means that you're not relying on default browser behavior.

If you encounter an issue with an integration after the Edge 86 release, you can temporarily use an unaffected browser, the mobile app, or an older version of Edge while you implement a fix.


What Does This Mean for Sales and Service in Lightning Experience and Salesforce Classic?

We support the ongoing effort to improve privacy and security across the web. We updated the SameSite attribute on cookies set by Salesforce. The fixes were made in Winter '21 and apply to Edge 86 and later.

We recommend that you test in a sandbox with the latest version of Microsoft Edge. We will update this article when any new information emerges.


Resources

 
Knowledge 기사 번호

000389943

 
로드 중
Salesforce Help | Article