Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When a logged in user tries to raise a ticket through Issue Collector, it's user session is no longer matched, which means the user needs to enter their email address while reporting feedback (corresponding to the case when a user is submitting feedback anonymously).

Environment

This behaviour started to appear in one of the following or higher Jira versions: 8.7.0, 8.5.4, 8.6.2, 7.13.13.

Diagnosis

1. Log in to Jira
2. Utilize Issue Collector functionality to raise feedback in Jira
3. The Issue Collector asking for email address to match Reporter field, although the user is already logged in

Cause

Recently, Chrome added new cookie policy to versions 80 and higher, related to SameSite cookie settings. These changes are getting simultaneously added to other browsers, as well - all of that with purpose of improving security and avoiding Cross-Site Request Forgery attacks. More about these changes can be found on these external resource: Developers: Get Ready for New SameSite=None; Secure Cookie Settings. Moreover, these changes are getting implemented as a part of an IETF recommendation, and are getting adopted as an industry standard.

Implementing SameSite cookie controls would break Issue Collector functionality for collectors that appear on separate domains - this got addressed in scope of the following bug ticket:  JRASERVER-70494 - Getting issue details... STATUS

Part of the solution of making Issue Collectors work for Chrome 80+ users, is to drop the XSRF token check. However this is check was utilised by a certain Jira Issue Collector functionality: a particular Issue collector could be configured in such a way that a reporter of the newly created issue could be matched with the currently logged-in user.

Since Issue Collector cannot provide that functionality without XSRF token check, a trade-off has been made and this feature was removed. Issue Collector no longer uses the logged-in user session for its logic, so it is no longer possible to match the session and set the logged-in user as reporter.

This means users will need to enter their email address in the Issue Collector form.

Jira Software 8.5.4 Upgrade notes describes how the Issue Collector behaviour got changed, in order to avoid the impact of the new SameSite policy:

The upcoming update of the Chrome browser introduces new cookie security features, which would essentially break the issue collectors embedded on separate domains. We’ve fixed this problem, but this brought some changes to how issue collectors work:

• You can no longer match the submitter’s user session to make them the issue reporter. You can still match them by using their email address.

• You don’t have to enable 3rd party cookies to make the issue collector work. We’ve removed this requirement, also dropping some error messages that reminded about it.

• The project and issue key will no longer be displayed in the success message after submitting feedback (unless the project is open to Anyone on the web). We did this to improve security by not disclosing information about projects and issues.

Solution

This behaviour is working as designed, as per the explanation above.

Stricter SameSite policy is getting adopted with the purpose of improving user security. Therefore, these modifications to Issue Collector functionality were done in order to make sure it can work properly, while adhering to the SameSite cookie controls in browser.

 Please vote for the following feature request if you would like the removed functionality back in Jira:  JRASERVER-71186 - Getting issue details... STATUS

Other Notes

References for further reading:

• https://www.chromium.org/updates/same-site
• https://www.chromestatus.com/feature/5088147346030592
• https://www.chromestatus.com/feature/5633521622188032
• https://chromiumdash.appspot.com/schedule
• https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03
• https://web.dev/samesite-cookie-recipes/