Loading

Firefox Changes to SameSite Cookie Behavior Can Break Salesforce Integrations

Veröffentlichungsdatum: Oct 13, 2022
Beschreibung
Firefox is changing the default cross-domain (SameSite) behavior of cookies. The SameSite changes enhance security and privacy but require customers and partners to test custom Salesforce integrations that rely on cookies. Beginning with Firefox 79 (June 2020), Mozilla rolled out the changed SameSite behavior for 50% of its Firefox Beta users.

The SameSite attribute on a cookie controls its cross-domain behavior. If no SameSite attribute is specified, Firefox sets cookies as SameSite=Lax by default. In previous versions of Firefox, the default was SameSite=None. After this change, developers can still opt in to the status quo of unrestricted use by explicitly setting SameSite=None; Secure.

This Mozilla Hacks blog post explains the intent of the SameSite attribute changes.
“Currently, the absence of the SameSite attribute implies that cookies will be attached to any request for a given origin, no matter who initiated that request. This behavior is equivalent to setting SameSite=None. However, this “open by default” behavior leaves users vulnerable to Cross-Site Request Forgery (CSRF) attacks. In a CSRF attack, a malicious site attempts to use valid cookies from legitimate sites to carry out attacks.”

For more information, see this Mozilla Hacks blog post.

Last year, Google Chrome enforced the same SameSite changes. Microsoft Edge is also changing the SameSite cookie behavior, which we've detailed in this knowledge article.


When Will the Firefox SameSite Changes Go Live?

This Mozilla Hacks blog post indicates that there’s no timeline for releasing the SameSite changes to all users. Starting with Firefox 79 (June 2020), Mozilla rolled out the SameSite changes to 50% of its Firefox Beta users. Mozilla wants to first monitor the scope of any breakages as an indicator of whether sites have adapted to the new default behavior.

The changed SameSite behavior has been live in Firefox Nightly since Nightly 75 (February 2020).

Salesforce is ready for the SameSite changes whenever Firefox rolls them out. If you haven't yet prepared your org for this change, please review the entirety of this article for additional information.
Lösung

What Does This Mean for Me?

These SameSite changes by Firefox may require you to make changes in your org.

1. Cookies won't work for non-secure (HTTP) browser access, including any community, portal, site, or Outlook or Gmail integration in your org. Use HTTPS instead.
2. Any custom integrations that rely on cookies might no longer work in Firefox. This change particularly affects but is not limited to cross-domain communication, and integrations using iframes.


What Do I Need to Do?

1. Use HTTPS instead of HTTP
To require HTTPS access in your org, ensure that the following Session Settings in Setup are enabled. These settings are enabled by default but verify that HTTPS is required in your org.

From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.

    Require secure connections (HTTPS)
Determines whether HTTPS is required to log in to or access Salesforce.
On May 1, 2020, we enforced the Require Secure HTTPS Connections critical update that required HTTPS connections to access Salesforce.
 
    Require secure connections (HTTPS) for all third-party domains
Determines whether HTTPS is required for connecting to third-party domains.

If either of these settings is disabled, Firefox users can experience disrupted functionality after the SameSite changes are live.

To require HTTPS access in communities, portals, or sites:
a. From Setup, in the Quick Find box, enter Sites, then select Sites.
b. Click the site you want to edit, and ensure that the Require Secure Connections (HTTPS) checkbox is selected.

In Winter ’21, we removed this setting because HTTP connections are no longer permitted for authenticated requests. See this release note for more information.

To check whether your Salesforce Classic Canvas connected app works with HTTPS:
a. In Salesforce Classic, from Setup, in the Quick Find box, enter Canvas App Previewer, then select Canvas App Previewer.
b. Click the app that you want to check. If the app loads, it means that the URLs are already set to use HTTPS. If the app doesn’t load in the previewer, update the Canvas App URL and Callback URL to use HTTPS.

To update your Canvas connected app to HTTPS:
a. In Salesforce Classic, from Setup, enter Create, and then click Apps.
b. Select the Canvas connected app that you want to update.
c. In the Canvas App URL field, update the URL to use HTTPS.
d. In the Callback URL field, update the URL to use HTTPS.
e. Click Save.
f. Go back to the Canvas App Previewer and check that the app opens as expected.
 
Note: The first time that you navigate to the HTTPS URL, close and reopen tabs and clear your browser history.

Upgrade the LiveMessage Managed Package
Similar to other features, LiveMessage (Classic) requires that the Require Secure Connections (HTTPS) and Require secure connections (HTTPS) for all third-party domains Session Settings in Setup are enabled in your org.
 
The Firefox 82 release is supported on version 4.46 or later of the managed package. If your org has an older version installed, upgrade to the latest version here.
 
2. Test custom Salesforce integrations that rely on cookies owned and set by your integration
Before Firefox releases the SameSite changes for all users, test any custom Salesforce integrations that rely on cookies owned and set by your integration. Test in a sandbox. If you find any regressions, update the SameSite attribute on cookies used for cross-domain communication to explicitly set SameSite=None; Secure. If you set a cookie in Apex, use the new SameSite attribute of the Cookie() constructor method.

This Mozilla Hacks blog post explains how to test the effects of the new Firefox behavior on your site or cookies before Firefox rolls out the SameSite changes. Navigate to about:config and type “SameSite” into the “Search Preference Name” bar. Set both network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure to “true.” The fixes in Winter '21 apply to Firefox 82 and later.

Note: As you're testing your cookies, consider what's the most secure SameSite value that works for each cookie. If a cookie is intended to be accessed only in a first-party context, you can apply SameSite=Lax or SameSite=Strict to prevent external access. Explicitly setting SameSite=Lax means that you're not relying on default browser behavior.

If you encounter an issue with an integration after the Firefox releases the SameSite changes, you can temporarily use an unaffected browser, the mobile app, or an older version of Firefox while you implement a fix.


What Does This Mean for Sales and Service in Lightning Experience and Salesforce Classic?

We support the ongoing effort to improve privacy and security across the web. We updated the SameSite attribute on cookies set by Salesforce.

The fixes were made in Winter '21 and apply to Firefox 82 and later. We recommend that you test in a sandbox with the latest version of Firefox. We will update this article when any new information emerges.


Resources

 
Nummer des Knowledge-Artikels

000389944

 
Laden
Salesforce Help | Article