I recently received the following e-mail from AWS...
We are contacting you because you use application-based stickiness on your Classic Load Balancer(s). An upcoming change to the Chromium engine used by many popular web browsers might impact your application if you use the application cookie stickiness feature with Cross-Origin Resource Sharing (CORS) on your load balancer. Please note that if you do not use CORS and application cookie stickiness together on your load balancer, you are not impacted by the above change and you can ignore this notice. We are notifying all customers using application-based stickiness on Classic Load Balancers as we do not have a mechanism to determine if you are using CORS in your application.
The Chromium project is planning a new release, Chromium 80, in February 2020, which introduces a requirement that HTTP cookies used in CORS requests must include the ‘SameSite=None; Secure’ attributes and be sent over HTTPS only. Web clients using Chromium with versions 80 or above will ignore cookies returned in CORS requests if they do not include these attributes or if they are sent over non-encrypted HTTP. Application-stickiness on Classic Load Balancers already support the ‘secure’ attribute and now have support for ‘SameSite=None’ as of January 26, 2020. If this impacts you, you will have to update your application to set the ‘SameSite=None; Secure’ attributes to maintain stickiness in your application. Chrome and many other browsers that uses the Chromium engine are affected by this change. A list of browsers using Chromium can be found here: https://en.wikipedia.org/wiki/Chromium_(web_browser)#Browsers_based_on_Chromium
Additional information on this topic is available in this forum post - https://forums.aws.amazon.com/ann.jspa?annID=7413. Please contact us if you have any concerns.
Sincerely,
Amazon Web Services
Will Atlassian Data Center apps on AWS be affected by this change?
