diff --git a/release_notes/index.adoc b/release_notes/index.adoc index 7efa9dd8478..0124cac0fc7 100644 --- a/release_notes/index.adoc +++ b/release_notes/index.adoc @@ -16,6 +16,9 @@ include::topics/templates/release-header.adoc[] == {project_name_full} 9.0.0 include::topics/9_0_0.adoc[leveloffset=2] +== {project_name_full} 8.0.2 +include::topics/8_0_2.adoc[leveloffset=2] + == {project_name_full} 8.0.1 include::topics/8_0_1.adoc[leveloffset=2] diff --git a/release_notes/topics/8_0_2.adoc b/release_notes/topics/8_0_2.adoc new file mode 100644 index 00000000000..f984c9be9d4 --- /dev/null +++ b/release_notes/topics/8_0_2.adoc @@ -0,0 +1,9 @@ += Highlights + +== SameSite cookie changes with upcoming Google Chrome update + +Starting with version 80, Google Chrome will change the default value for the `SameSite` cookie parameter to `Lax`. +Therefore, changes were required to several {project_name} cookies (especially those which are used within the +Javascript adapter for checking the session status using the iframe) to set `SameSite` parameter to `None`. Please note +that this settings also requires setting the `Secure` parameter, hence starting with this version, the Javascript +adapter will only be fully functional when using the SSL / TLS connection on the {project_name} side. \ No newline at end of file diff --git a/securing_apps/topics/oidc/javascript-adapter.adoc b/securing_apps/topics/oidc/javascript-adapter.adoc index 5e321c79fad..7f78c120f79 100644 --- a/securing_apps/topics/oidc/javascript-adapter.adoc +++ b/securing_apps/topics/oidc/javascript-adapter.adoc @@ -92,6 +92,8 @@ It has no other task than sending the received tokens to the main application an Please keep in mind that this page at the specified location must be provided by the application itself and is _not_ part of the JavaScript adapter! +WARNING: Starting with Chrome version 80 (released on February 2020), silent `check-sso` functionality will work only +when the SSL / TLS connection is configured on the {project_name} side. To enable `login-required` set `onLoad` to `login-required` and pass to the init method: @@ -154,6 +156,11 @@ This feature can be disabled by setting `checkLoginIframe: false` in the options You should not rely on looking at this cookie directly. Its format can change and it's also associated with the URL of the {project_name} server, not your application. +WARNING: Starting with Chrome version 80 (released on February 2020), status iframe will only be able to see the special +cookie over the SSL / TLS connection configured on the {project_name} side. Using an insecure connection may lead to redirecting +to {project_name} every time iframe checks the status. You can avoid this behavior by disabling iframe +or link:{installguide_link}#_setting_up_ssl[configuring the SSL / TLS] on the {project_name} side. + [[_javascript_implicit_flow]] ==== Implicit and Hybrid Flow diff --git a/server_installation/topics/network/https.adoc b/server_installation/topics/network/https.adoc index b04d87a460c..63d0fe971de 100644 --- a/server_installation/topics/network/https.adoc +++ b/server_installation/topics/network/https.adoc @@ -1,4 +1,4 @@ - +[[_setting_up_ssl]] === Setting up HTTPS/SSL WARNING: {project_name} is not set up by default to handle SSL/HTTPS.