Google Chrome Release 84 could impact Embedded Yellowfin Applications

What is happening?

Chrome is changing the default cross-domain (SameSite) behavior of cookies coinciding with the stable release of Chrome 84 on July 14, 2020, with enforcement enabled for Chrome 80+. The SameSite changes started in February 2020 with the Chrome 80 release, but Google temporarily rolled back the SameSite changes until mid 2020. The SameSite changes enhance security and privacy, but require customers and partners to test custom Salesforce integrations that rely on cookies.

The SameSite attribute on a cookie controls its cross-domain behavior. If no SameSite attribute is specified, the Chrome 84 release sets cookies as SameSite=Lax by default. Up until the Chrome 84 release, the default is SameSite=None. After the Chrome 84 release, developers can still opt in to the status quo of unrestricted use by explicitly setting SameSite=None; Secure.

Am I be effected by this?

Maybe, if your Yellowfin instance is NOT on the same eTLD+1 as the host application (eg and then you will be effected. 

If you are on the same eTLD+1 then these apps are treated as if they were the same site and you should not see issues after Chrome 84 is released.

How do I handle this if I am effected?

Here is a 4 step process to mitigate this issue:

1. Upgrade Tomcat to one of the following versions or above (for instructions on how to do this, see this article):

  • 9.0.29 or above

2. Modify your ROOT.xml file (found in {Yellowfin install dir}/appserver/conf/Catalina/localhost/) and add the following line in between the <Context> elements:

<CookieProcessor sameSiteCookies="none"/>

An example would look like this:

3. Modify your web.xml file (found in {Yellowfin install dir}/appserver/webapps/ROOT/WEB-INF) and add in the following inside the <web-app> tags:


An example would look like this:

4. Ensure that Yellowfin is accessible on a secure connection (for instructions on enabling HTTPS, please see this article)

Is article helpful?