Set ARRAffinity cookie with SameSite option
Given the upcoming changes in Chrome, we would like to be able to set the SameSite option of the ARRAffinity cookie (as None, Lax or Strict). Not allowing us to set it to None it means that Chrome will mark it as Lax, meaning that our pages cannot be displayed in an iFrame of 3rd parties.
Michael Davis commented
This is a finding when doing a dynamic code scan. We must report these for FedRAMP compliance. Since this cannot be mitigated, we are required to create a POA&M for this item.
Nicolaj Hedeager Larsen commented
This uservoice differently needs some attention.
With the new cookie restrictions there seems to be no way to ensure the user session stays with a certain app instance for a website running within an iFrame.
If we need to keep track of the user session in a website running within an iFrame we would not be able to scale out the App Service Plan.
Christopher Kaschig commented
Getting more and more important I think.
We are now on Chrome 79 - according to the referenced Chromestatus pages, the restriction became effective with Chrome 80...
"A cookie associated with a cross-site resource at http://***.azurewebsites.net/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032."