Hi guys,
As you might already know starting with Chrome v84 a secure-by-default model has been introduced to cookies which do not have the SameSite attribute set. So all cookies which do not set this value will be considered by the browser as “SameSite=Lax”, hence these cookies can be accessed only from the origin. More info here
This means that if you had embedded Confluence content in another domain (e.g via an iframe) now it will fail to render if the browser you are using to access the content is Chrome. This because the value SameSite is not set for the JSESSIONID cookie (or other cookies) which is used to share the authentication and the browser will block it.
Of course in that case a message comes out saying you are not logged in even though you have done so already.
The most convenient option to fix this is to set the SameSite value to None and Secure for this cookie, but unfortunately this is something which has to be done internally in Confluence/Jira where this cookie is first generated and where the needed headers are applied on creation.
Setting the attribute “SameSite=None; Secure” would allow the reuse of this cookie cross-site only via HTTPS.
I was wondering if anyone else is having the same issue and if yes do you know if Atlassian is planning to fix it anytime soon?