Stopping Cross-Site Request Forgery Attacks
Google is expected to release Chrome version 80 on February 4, 2020. This version includes new behavior to address the problem of cross-site request forgery (CSRF) attacks, which exploit how browsers have processed cookie requests up to now. This article gives an excellent explanation of the reasons behind the change and how Chrome 80 behaves.
Closing off holes for potential attacks is generally a good thing, but the change in behavior impacts how applications use cookies and can break some functionality.
Microsoft Guidance
Office 365 includes many web interfaces such as OWA, the administration consoles, browser interfaces for SharePoint Online, OneDrive for Business, Planner, Yammer, and Teams, and so on. Some of these interfaces also feature in on-premises servers. Microsoft has released guidance saying that they will address “this change in behavior in its products and services before the February 4, 2020, rollout date.” The guidance covers Office 365.
The same document says that updates are coming for Exchange Server, SharePoint Server, and Skype for Business client and that customers using Active Directory Federation Services or Web Application Proxy must update Windows Server 2016 and Windows Server 2019.
A January 24 update posted by the Exchange product group confirms that Exchange Online has already rolled out the necessary changes to handle Chrome 80 and says that they are preparing cumulative updates for Exchange Server 2016 and Exchange Server 2019 that contain similar changes. Microsoft says that they are “investigating solutions” for older versions of Exchange (likely 2010 and 2013). Based on anecdotal evidence from customers at Ignite events, there’s still a lot of old Exchange servers in production.
The Exchange 2016 and 2019 cumulative updates will be available on Patch Tuesday in March (10), which means that on-premises users should avoid using Chrome 80 until the updates are deployed. Viewed another way, it’s a great opportunity for users to test the Chromium version of Edge (now generally available) with either Office 365 or on-premises browser interfaces.
Microsoft hasn’t said if or when Edge will implement the same changes as in Chrome 80. Firefox has signaled their intention to make the change in the future. Apple hasn’t said what they will do with Safari.
The interaction of third-party technology with Office 365 is yet another thing to throw into the tracking mix. Stay up to date by subscribing to the Office 365 for IT Pros eBook so that important changes don’t pass you by…
2 Replies to “Office 365 OK for Chrome 80 SameSite Update”