Google Chrome 84 could impact Embedded Yellowfin below 9.3

What happened?

Chrome has changed the default cross-domain (SameSite) behaviour of cookies coinciding with the stable release of Chrome 84 on July 14, 2020, with enforcement enabled for Chrome 80+. The SameSite changes started in February 2020 with the Chrome 80 release, but Google temporarily rolled back the SameSite changes until mid 2020. The SameSite changes enhance security and privacy, but require customers and partners to test custom Salesforce integrations that rely on cookies.

The SameSite attribute on a cookie controls its cross-domain behavior. If no SameSite attribute is specified, the Chrome 84 release sets cookies as SameSite=Lax by default. Up until the Chrome 84 release, the default is SameSite=None. After the Chrome 84 release, developers can still opt in to the status quo of unrestricted use by explicitly setting SameSite=None; Secure.

Am I effected by this?

Maybe, if your Yellowfin instance is NOT on the same eTLD+1 as the host application (eg app.host.com and yellowfin.host.com) and you are not using Yellowfin 9.3 then you will be effected. 

If you are on the same eTLD+1 then these apps are treated as if they were the same site and you should not see issues after Chrome 84 is released.

How do I handle this if I am effected?

You have 3 options when it comes to dealing with SameSite:

1. Upgrade to 9.3 and use our in-built SameSite settings.

2. Upgrade to 9.3 and use the manual SameSite configuration outlined below.

3. Use the manual SameSite configuration below in your current Yellowfin.

I don't want to upgrade to 9.3 or I want to set this configuration manually

Okay, then here is a 4 step process to mitigate this issue:

1. Upgrade Tomcat to one of the following versions or above (for instructions on how to do this,  see this article):

  • 9.0.29 or above

2. Modify your ROOT.xml file (found in {Yellowfin install dir}/appserver/conf/Catalina/localhost/) and add the following line in between the <Context> elements:

<CookieProcessor sameSiteCookies="none"/>

An example would look like this:

3. Modify your web.xml file (found in {Yellowfin install dir}/appserver/webapps/ROOT/WEB-INF) and add in the following inside the <web-app> tags:

<session-config>     
  <cookie-config>         
    <secure>true</secure>     
  </cookie-config> 
</session-config>

An example would look like this:

4. Ensure that Yellowfin is accessible on a secure connection (for instructions on enabling HTTPS,  please see this article)

5. ONLY APPLIES TO PEOPLE ON 9.3 wanting to use the manual configuration - Switch off Yellowfin's SameSite processing by running this SQL statement against your Yellowfin Config DB (after taking a backup, just in case)

INSERT INTO Configuration VALUES (1, 'SYSTEM', 'MANUAL_SAMESITE_CONFIG', 'TRUE'); 
Is article helpful?