Loading

Firefox Changes to SameSite Cookie Behavior Can Break Salesforce Integrations

게시 일자: Jun 15, 2026
상세 설명

Firefox changed the default cross-domain (SameSite) behavior of cookies starting with Firefox 79 (June 2020). Firefox now sets cookies without an explicit SameSite attribute as SameSite=Lax by default, rather than SameSite=None as in previous versions. This change enhances security and privacy but requires testing of custom Salesforce integrations that rely on cookies. Developers must explicitly set SameSite=None; Secure on cookies used for cross-domain communication to maintain integration functionality. Salesforce applied SameSite fixes in Winter '21 for Firefox 82 and later. If you have not yet prepared your org, review this article and take the actions described.

솔루션

What This Means for Your Org

The Firefox SameSite changes may require the following changes:

  1. Cookies do not work for non-secure (HTTP) browser access, including communities, portals, Sites, Outlook integrations, and Gmail integrations. Use HTTPS instead.
  2. Custom integrations that rely on cookies may no longer work in Firefox. This particularly affects cross-domain communication and integrations using iframes.

What You Need to Do

Use HTTPS Instead of HTTP

Ensure the following Session Settings are enabled in Setup (both are enabled by default — verify they are active in your org):

  • Require secure connections (HTTPS) — Determines whether HTTPS is required to log in to or access Salesforce. Enforced globally as of May 1, 2020.
  • Require secure connections (HTTPS) for all third-party domains — Determines whether HTTPS is required for connecting to third-party domains.

To require HTTPS for communities, portals, or Sites: Go to Setup > Sites, click the site you want to edit, and verify the Require Secure Connections (HTTPS) checkbox is selected. Note: In Winter '21, this setting was removed because HTTP connections are no longer permitted for authenticated requests.
To verify that your Canvas connected app uses HTTPS: In Salesforce Classic, go to Setup > Canvas App Previewer and confirm the app loads. If not, update the Canvas App URL and Callback URL to use HTTPS.

Test Custom Integrations That Rely on Cookies

Before Firefox releases SameSite changes to all users, test any custom Salesforce integrations that rely on cookies owned and set by your integration. Test in a sandbox. If you find regressions, update the SameSite attribute on cookies used for cross-domain communication to explicitly set SameSite=None; Secure. If you set a cookie in Apex, use the SameSite attribute of the Cookie() constructor method. To test SameSite behavior in Firefox before the rollout, navigate to about:config and set both network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure to true.

What This Means for Lightning Experience and Salesforce Classic

Salesforce updated the SameSite attribute on cookies set by Salesforce in Winter '21. These fixes apply to Firefox 82 and later. Test in a sandbox with the latest Firefox version.

 

Knowledge 기사 번호

000389944

 
로드 중
Salesforce Help | Article