As you know, Google Chrome browser announced a secure-by-default model for cookies and plans to implement this model with the Chrome 80 release scheduled for February 2020. Changes affect the default cross-domain (SameSite) behaviour of cookies. The purpose of this Advisory is to inform you about the effect on Layer7 API Gateway use cases when the SameSite cookie attribute is present by default.
In the upcoming release of Google’s Chrome 80 browser, Chrome will treat cookies that have not declared SameSite value as SameSite=Lax cookies. This change affects customers’ browser-based applications that make calls to APIs proxied through the Gateway. Broadcom is committed to address this change in behaviour in all Gateway supported versions.
What Google is doing:
you can read about the change Google is going to make to Chrome here: https://www.chromium.org/updates/same-site
These changes will cause the default behaviour of the Chrome 80 version of the browser to behave differently than versions prior to version 80.
What Broadcom is doing:
We will integrate a solution for this change in default behaviour as part of the upcoming Layer7 API Gateway 10 release and any cumulative releases of Layer7 API Gateway 9.4 to enable Gateway use cases to work when Chrome mandates the SameSite cookie attribute. For other supported Layer7 API Gateway versions 9.1, 9.2 and 9.3, a patch will be made available on top of the latest CR/SP release of those Gateway versions. Patches will be made available here as they are published: https://techdocs.broadcom.com/us/product-content/recommended-reading/technical-document-index/ca-api-gateway-solutions-and-patches.html
Please contact Broadcom support team for availability of patches for Layer7 MicroGateway and Layer7 API Gateway container form-factor.
Gateway Affected Use Cases when Chrome 80 is released:
We have analyzed the changes Google is implementing in Chrome 80 browser and examined the Gateway use cases that are affected.
What you should do:
- When Gateway receives cookies with SameSite attribute (Set-Cookie header) from the backend, it is expected to pass-through the cookie as is (no cookie manipulation) to the client.
- When Gateway receives cookies with SameSite attribute (Set-Cookie header) from the backend, Gateway has the ability to manipulate cookies in response by using the following assertions:
- Read the information at the Google chromium site noted above.
- Review the list of Layer7 API Gateway affected use cases
- Determine if your Layer7 API Gateway deployment will need the above-described patches.
- Plan your testing and deployment of those patches.
If you have questions about the nature and timing of this change in Chrome, please contact Google. Note: If your use of Chrome is only on your own internal network, you may be able to apply a policy so that Chrome 80 will behave as a pre-Chrome 80 browser. See this link: https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies
When the updates become available they will be available on CA API Gateway Solutions & Patches.
If you have questions about how to access and deploy the patches, please Contact CA Support.
Layer7 APIM Product Management