It looks like this can be done in Nginx configuration by using proxy_cookie_path, but in /opt/zimbra/conf/nginx I see a ton of configuration files in the directories there, and I am not sure which one(s) I need to edit, or if I am looking in the wrong place altogether. Some links that I am reading say to look for ssl.conf or default.conf, but Zimbra doesn't seem to use either of these files. Can anyone point me in the right direction? I am using Ubuntu 18.04 and Zimbra 8.8.6_GA_1906 OSE. Thanks in advance for any help!A cookie associated with a cross-site resource at http://xxxxxxx.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
I use an IFrame to display the zimbra webmail portal within another web application. Recently, this stopped working in new versions of Google Chrome, which now requires cross-origin cookies to have the Secure and SameSite=None attributes set. In the webmail, users are getting an error saying that cookies are required for login, and on the developer console, I see the following error:
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
Hello,
You need to use at Zimbra Proxy level the following attribute : zimbraReverseProxyResponseHeaders
Regards,
You need to use at Zimbra Proxy level the following attribute : zimbraReverseProxyResponseHeaders
Regards,
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
Thank you, DualBoot.
EDIT: This appeared to work, but it actually added a second Set-Cookie header without overwriting or removing the first one, so the issue is still ongoing. The following step added the header:
This generates a second header, but it seems like it's ignored because the first cookie is still being passed. Furthermore, upon login, a second cookie is added, which isn't accounted for in this approach.
It appears that the cookies are being generated in login.jsp - first the ZM_TEST cookie to see whether the browser accepts cookies, and then when the user actually logs in, there is an authentication cookie:
So perhaps I will need to modify this .jsp file, although I would prefer a configuration option so that I don't need to worry about updates overwriting my modifications.
Any other thoughts or ideas would be appreciated!
EDIT: This appeared to work, but it actually added a second Set-Cookie header without overwriting or removing the first one, so the issue is still ongoing. The following step added the header:
Code: Select all
zmprov mcf +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_Test=true; Secure; SameSite=None\""
It appears that the cookies are being generated in login.jsp - first the ZM_TEST cookie to see whether the browser accepts cookies, and then when the user actually logs in, there is an authentication cookie:
Code: Select all
Cookie testCookie = new Cookie("ZM_TEST", "true");
testCookie.setSecure(com.zimbra.cs.taglib.ZJspSession.secureAuthTokenCookie(request));
response.addCookie(testCookie);
Any other thoughts or ideas would be appreciated!
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
seems to be the good receipe :
I usually work for this at domain level so it is important to set up a zimbraVirtualHostname to your domain which need to be resolvable by your Zimbra itself.
Now you can get at least grade B here : https://observatory.mozilla.org
Regards,
Code: Select all
zmprov md your_domain.tld +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_TEST=true; HttpOnly; Secure; SameSite=Strict\""
zmprov md your_domain.tld +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_LOGIN_CSRF=true; HttpOnly; Secure; SameSite=Strict\""
Now you can get at least grade B here : https://observatory.mozilla.org
Regards,
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
well after testing with an empty browser cache, it seems I was completely wrong. My command disable completely the authentication process
It seems it is impossible to modify the cookie settings.
Sorry
Digging deeper, related to Nginx documentation, if you want to manipulate Cookie Nginx need cookie flag module :
https://docs.nginx.com/nginx/admin-guid ... okie-flag/
And Zimbra Nginx is not provided with this module according to the following command :
Regards,
It seems it is impossible to modify the cookie settings.
Sorry
Digging deeper, related to Nginx documentation, if you want to manipulate Cookie Nginx need cookie flag module :
https://docs.nginx.com/nginx/admin-guid ... okie-flag/
And Zimbra Nginx is not provided with this module according to the following command :
Code: Select all
imbra@srv-zproxy01:~$ nginx -V
nginx version: nginx/1.7.1
TLS SNI support enabled
configure arguments: --prefix=/opt/zimbra/common --with-cc-opt='-g -I/opt/zimbra/common/include' --with-ld-opt='-Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib' --with-debug --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_upstream_zmauth_module --with-http_zm_sso_module --with-http_spdy_module --with-mail --with-mail-sasl --with-mail_ssl_module --error-log-path=/opt/zimbra/log/nginx.log --http-log-path=/opt/zimbra/log/nginx.access.log --http-client-body-temp-path=/opt/zimbra/data/tmp/nginx/client --http-proxy-temp-path=/opt/zimbra/data/tmp/nginx/proxy --http-fastcgi-temp-path=/opt/zimbra/data/tmp/nginx/fastcgi --without-http_scgi_module --without-http_uwsgi_module --add-module=modules/nviennot-nginx-tcp-keepalive
zimbra@srv-zproxy01:~$
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
@DualBoot - thank you for trying. In addition to the module you have mentioned, I have seen references to using proxy_cookie_path, but I have spent a few hours going down that path and it does not seem to be working either. So in /opt/zimbra/conf/nginx/templates, I tried editing nginx.conf.web.https.default.template, finding the section for location = /, and then below proxy_pass, I tried to add
proxy_cookie_path / "/;SameSite=None";
Then restarted the proxy with zmproxyctl restart. That doesn't cause any errors, but doesn't seem to work either. The only other suggestion that I have seen was to add something like
more_set_headers 'Set-Cookie: $sent_http_set_cookie;SameSite=None';
But that one does prevent the proxy from starting because more_set_headers is not recognized (which implies that proxy_cookie_path IS recognized, because it doesn't trigger the same error.)
Oh well, I am giving up. Perhaps I can work some DNS magic so that the Zimbra server and the web application share the same domain. Thanks for your help!
proxy_cookie_path / "/;SameSite=None";
Then restarted the proxy with zmproxyctl restart. That doesn't cause any errors, but doesn't seem to work either. The only other suggestion that I have seen was to add something like
more_set_headers 'Set-Cookie: $sent_http_set_cookie;SameSite=None';
But that one does prevent the proxy from starting because more_set_headers is not recognized (which implies that proxy_cookie_path IS recognized, because it doesn't trigger the same error.)
Oh well, I am giving up. Perhaps I can work some DNS magic so that the Zimbra server and the web application share the same domain. Thanks for your help!
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
Hi,
sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?
Regards
sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?
Regards
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
Sorry, but no, I didn't. I tried once more a while later, and ran into the same issues. My solution was to move my application and my Zimbra server onto different subdomains in the same domain - that satisfied the requirement without the use of the SameSite attribute.rokoyato wrote:Hi,
sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?
Regards
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
Thanks for your answer, I will see with the synacor support if they have an answer to this.DaveSmash wrote:Sorry, but no, I didn't. I tried once more a while later, and ran into the same issues. My solution was to move my application and my Zimbra server onto different subdomains in the same domain - that satisfied the requirement without the use of the SameSite attribute.rokoyato wrote:Hi,
sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?
Regards
Regards
Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)
HI, so this is the way to go, in case you or anyone else need that in the future :DaveSmash wrote:Sorry, but no, I didn't. I tried once more a while later, and ran into the same issues. My solution was to move my application and my Zimbra server onto different subdomains in the same domain - that satisfied the requirement without the use of the SameSite attribute.rokoyato wrote:Hi,
sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?
Regards
zmprov mcf +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_TEST=true;Secure;HttpOnly;SameSite=Strict\""
Which should give you this result in mozilla observatory :
To test :
https://observatory.mozilla.org
So far I did not managed a correct way to get prefixed cookies, still waiting for the support answer on this one