My Oracle Support Banner

Browser Changes Initiated by Google Chrome 80 (and Firefox/IE) - Cross-Site Request Forgery (CSRF) Concerns for Applications Deployed to Oracle WebLogic Server (Doc ID 2637652.1)

Last updated on MARCH 20, 2024

Applies to:

Oracle WebLogic Server - Version 10.3.6 and later
Information in this document applies to any platform.
This document is for custom applications deployed to WebLogic Server. Applications supplied by Oracle may have coordinated advice provided by respective application/product teams.

Purpose

This document outlines an issue that may affect applications deployed to Oracle WebLogic Server.

Introduction to the SameSite Cookie Issue 

The Google Chrome 80 release, scheduled for February 2020, changes the default cross-domain (SameSite) behavior of cookies to enhance security and privacy. Mozilla and Microsoft have also indicated an intent to implement the new model in Firefox and Edge in the future.

This Chrome Platform Status explains the intent of the SameSite attribute:

“SameSite is a reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks, but developers currently need to opt-into its protections by specifying a SameSite attribute. In other words, developers are vulnerable to CSRF attacks by default. This change would allow developers to be protected by default while allowing sites that require state in cross-site requests to opt-in to the status quo’s less-secure model. In addition, forcing sites to opt-in to SameSite=None gives the user agent the ability to provide users more transparency and control over tracking."

With Chrome 80 release in February, by default Chrome will treat cookies that have no declared SameSite value as SameSite=Lax. Up until Chrome 80, the default is SameSite=None. After the Chrome 80 release, developers can still opt into the status quo of unrestricted use by explicitly setting "SameSite=None; Secure" cookies that will be available for external access.

Other browser vendor plans:


For more information, see this Chromium blog post.

Oracle recommends that application developers and application server administrators assess their situation to see if they will be impacted. Included in this document are some steps to consider.

Scope

 

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
 Introduction to the SameSite Cookie Issue 
Scope
Details
 Use HTTPS instead of HTTP while setting SameSite=None
 How to Test Your Applications With New Cookie Behavior
 How to Explicitly Set SameSite Cookie Attribute in Your Application
 Using a Proxy ( Oracle Traffic Director / Oracle HTTP Server / Apache )
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.