Browser Changes Initiated by Google Chrome 80 (and Firefox/IE) - Cross-Site Request Forgery (CSRF) Concerns for Applications Deployed to Oracle WebLogic Server
(Doc ID 2637652.1)
Last updated on APRIL 19, 2023
Applies to:Oracle WebLogic Server - Version 10.3.6 and later
Information in this document applies to any platform.
This document is for custom applications deployed to WebLogic Server. Applications supplied by Oracle may have coordinated advice provided by respective application/product teams.
This document outlines an issue that may affect applications deployed to Oracle WebLogic Server.
Introduction to the SameSite Cookie Issue
The Google Chrome 80 release, scheduled for February 2020, changes the default cross-domain (SameSite) behavior of cookies to enhance security and privacy. Mozilla and Microsoft have also indicated an intent to implement the new model in Firefox and Edge in the future.
This Chrome Platform Status explains the intent of the SameSite attribute:
“SameSite is a reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks, but developers currently need to opt-into its protections by specifying a SameSite attribute. In other words, developers are vulnerable to CSRF attacks by default. This change would allow developers to be protected by default while allowing sites that require state in cross-site requests to opt-in to the status quo’s less-secure model. In addition, forcing sites to opt-in to SameSite=None gives the user agent the ability to provide users more transparency and control over tracking."
With Chrome 80 release in February, by default Chrome will treat cookies that have no declared SameSite value as SameSite=Lax. Up until Chrome 80, the default is SameSite=None. After the Chrome 80 release, developers can still opt into the status quo of unrestricted use by explicitly setting "SameSite=None; Secure" cookies that will be available for external access.
Other browser vendor plans:
- Mozilla has affirmed their support of the new cookie classification model with their intent to implement the "SameSite=None; Secure" requirements for cross-site cookies in Firefox.
- Microsoft recently announced plans to begin implementing the model starting as an experiment in Microsoft Edge 80.
Update Jan 21, 2022: Firefox has implemented the same requirement in the latest version. This now affects the newer versions of Firefox, Chrome and IE (which uses Chromium).
For more information, see this Chromium blog post.
Oracle recommends that application developers and application server administrators assess their situation to see if they will be impacted. Included in this document are some steps to consider.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|Introduction to the SameSite Cookie Issue|
|Use HTTPS instead of HTTP while setting SameSite=None|
|How to Test Your Applications With New Cookie Behavior|
|How to Explicitly Set SameSite Cookie Attribute in Your Application|
|Using a Proxy ( Oracle Traffic Director / Oracle HTTP Server / Apache )|