Firefox changed the default cross-domain (SameSite) behavior of cookies starting with Firefox 79 (June 2020). Firefox now sets cookies without an explicit SameSite attribute as SameSite=Lax by default, rather than SameSite=None as in previous versions. This change enhances security and privacy but requires testing of custom Salesforce integrations that rely on cookies. Developers must explicitly set SameSite=None; Secure on cookies used for cross-domain communication to maintain integration functionality. Salesforce applied SameSite fixes in Winter '21 for Firefox 82 and later. If you have not yet prepared your org, review this article and take the actions described.
To require HTTPS for communities, portals, or Sites: Go to Setup > Sites, click the site you want to edit, and verify the Require Secure Connections (HTTPS) checkbox is selected. Note: In Winter '21, this setting was removed because HTTP connections are no longer permitted for authenticated requests.
To verify that your Canvas connected app uses HTTPS: In Salesforce Classic, go to Setup > Canvas App Previewer and confirm the app loads. If not, update the Canvas App URL and Callback URL to use HTTPS.
Before Firefox releases SameSite changes to all users, test any custom Salesforce integrations that rely on cookies owned and set by your integration. Test in a sandbox. If you find regressions, update the SameSite attribute on cookies used for cross-domain communication to explicitly set SameSite=None; Secure. If you set a cookie in Apex, use the SameSite attribute of the Cookie() constructor method. To test SameSite behavior in Firefox before the rollout, navigate to about:config and set both network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure to true.
Salesforce updated the SameSite attribute on cookies set by Salesforce in Winter '21. These fixes apply to Firefox 82 and later. Test in a sandbox with the latest Firefox version.
000389944

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.