Security Advisory– Google Chrome Browser version 80 Updates and Ex Libris products and services
Subject: Google Chrome Browser version 80 Updates and Ex Libris products and services - January 22, 2020
Overview
On February 4, 2020 Google will roll out a new version of Google Chrome (80) that will implement a secure-by-default model for cookies using the SameSite attribute, enabled by a new cookie classification system.
The SameSite attribute protects users from cross-site request forgery, where innocent end user is tricked by an attacker into submitting a web request that they did not intend.
Google Chrome (80) new default cookie attribute will be set to SameSite="Lax". Previously, the SameSite cookie attribute defaulted to SameSite="None".
As of February 2020, only cookies with the SameSite set to "None" and tagged as Secure will be able to send cross-sites and will require encrypted HTTPS connection access.
Reference
Impact
High
Affected Systems
Although the change was intended to discourage malicious cookie tracking, it has the potential to affect Ex Libris products and services that leverage application cookies within the same web page that have a different domain than the one being used by Ex Libris.
Examples where the change in Chrome cookie handling may have an impact:
-
SSO (e.g. SAML)
-
Primo using non Ex Libris domain and Alma View-It/Get-It embedded web pages (not including Primo VE)
-
Custom integrations relying on non-secure (HTTP) protocol or cookie, that might be impacted in Google Chrome
-
Use of embedding of external links ('Iframe') in web pages
-
Embedding Leganto in the learning management system’s course page
Tests and Certifications
Ex Libris is analyzing and testing the specific potential impact that this change in cookie handling is going have on all Ex Libris products.
Actions Taken for Hosted Systems
Our plan is to solve any possible issues as part of our cloud platform.
Required Configurations for On-Premise/Local Systems
For non-platform products, we will provide instructions regarding the procedures you need to perform on your local installations.
More details will be provided in the next days.