SameSite cookie problems in deskop version of Teams

Brass Contributor

Hi,

I have created a Teams app, which contains static tabs (i.e. "personal" tabs). The tab content is hosted in SharePoint and uses MSAL v1.4.14 for authentication.
However, I'm seeing the following "sameSite" cookie problems:


Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which will prevents the cookie from being set in a cross-site context in a future version of the browser. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

 

Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests

 

This problem only occurs in the Windows desktop version of Teams. I don't see it when I use Teams within a browser.

 

I cannot find any information on how to fix this problem.  Is it a bug in the desktop version of Teams and/or the MSAL library?

I found the following:
https://docs.microsoft.com/en-us/microsoftteams/platform/resources/samesite-cookie-update#samesite-c...
but I am not sure how I can fix my problem.

 

Here are some images of the errors I am seeing:

samesite_cookie_error2.PNGsamesite_cookie_error1.PNG

 

 

Thanks,

George

 

9 Replies
Could you please share more information on how to repro this issue?

Thanks

@HunaidHanfee-MSFT 

The issue is reproduced when I access a simple html page in a static tab. I also see this problem when I host my application using a web server instead of SharePoint. I observed the same SameSite warnings in two different test tenant.

Here is what my app manifest file looks like:

{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.9/MicrosoftTeams.schema.json",
"manifestVersion": "1.9",
"version": "1.0.0",
"showLoadingIndicator": true,
"id": "cbfe33f3-04d1-4f41-ae80-849385d6bf33",
"packageName": "test",
"developer": {
"name": "Test App",
"websiteUrl": "https://testapp.com/",
"privacyUrl": "https://testapp.com/privacy-policy",
"termsOfUseUrl": "https://testapp.com/terms-use"
},
"icons": {
"color": "color.png",
"outline": "outline.png"
},
"name": {
"short": "Test",
"full": "Test Application"
},
"description": {
"short": "Test Application",
"full": "This app is a test application"
},
"accentColor": "#DA2DF0",
"staticTabs": [
{
"entityId": "tab1",
"name": "Tab #1",
"contentUrl": "https://gctest71.sharepoint.com/_layouts/15/teamslogon.aspx?SPFX=true&dest=/Shared%20Documents/test/index.aspx",
"websiteUrl": "https://gctest71.sharepoint.com/Shared%20Documents/test/index.aspx",
"scopes": [
"personal"
]
},
{
"entityId": "tab2",
"name": "Tab #2",
"contentUrl": "https://gctest71.sharepoint.com/_layouts/15/teamslogon.aspx?SPFX=true&dest=/Shared%20Documents/test/phone.aspx",
"websiteUrl": "https://gctest71.sharepoint.com/Shared%20Documents/test/phone.aspx",
"scopes": [
"personal"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"permissions": [
"identity",
"messageTeamMembers"
],
"validDomains": [
"gctest71.sharepoint.com"
],
"webApplicationInfo": {
"id": "00000003-0000-0ff1-ce00-000000000000",
"resource": "https://gctest71.sharepoint.com"
},
"localizationInfo": {
"defaultLanguageTag": "en-us",
"additionalLanguages": [
{
"languageTag": "fr",
"file": "locale_fr.json"
},
{
"languageTag": "es",
"file": "locale_es.json"
}
]
}
}

 

 

 

Here is what my Azure AD authentication configuration looks like for my App:

 

azuread_app_auth.PNG

What are seeing on the tab, Could you please share the screenshot? Do you have another authentication on your SharePoint? Can you share minimal repro steps?

@HunaidHanfee-MSFT 

I have created a minimal app, which can reproduce the problem. Here is how to configure/deploy it:

  1. Create a SharePoint folder to host the web application code
  2. Setup an App in the Azure AD. Make a note of the Application (client) ID" in the "Overview" section.
    In the "Authentication" section, add the following configuration:
    George71_1-1634755190376.png

    Note: the Redirect URI is:
    https://<SharePointe tenant URI>/<SharePoint File Path>/silent-end.aspx

  3. Unzip the file SharePoint_files.zip
  4. Modify the filePath and clientAppId in the config.js file to include the SharePoint path you just created and the "Application (client) ID" from the Azure AD.
    For example if the SharePoint folder is https://gctest71.sharepoint.com/Shared Documents/test , you would have the following in config.js:
    var filePath = "/Shared%20Documents/test/";
    NOTE: You need to replace any spacer characters with "%20".
  5. Copy all files into your SharePoint Folder.
  6. Unzip testApp.zip
  7. Update the manifest.json file in the zip with:
    - the Application (client) ID in the paramater id
    - the SharePoint tenant name + file path in the following items:
    contentUrl, websiteUrl, validDomains, "webApplicationInfo, etc.
  8. Updload the testApp.zip to Teams.

Testing:

- Open the "Dev Tools" for the desktop Teams application.

- Click on "Go to Issues".

George71_2-1634755970317.png

You will see the following:

George71_3-1634756073325.png

 

 

 

Note: You may not see all of the SameSite warnings right away. You can click ontrhe refresh button and/or sign out/in to see them.

 

 

Thanks!

 

 

Thanks for sharing. I will update after setting this up.
We have trouble setting this up. As per your shared information looks like these are only the warnings. You can either act on those warnings and fix those or skip it until and unless you are facing any error and app isn't working.

Is your MSAL working fine or facing any error?
These are currently only warnings, but my fear is that something will change in the future and they will become errors and possibly break my app. I'm trying to figure out how I can resolve these warnings.
Right now the MSAL stuff is working fine and I do not see these warnings when I use the web version of Teams. There are no MSAL errors when I run it in either platform.
It looks like the SameSite header information needs to somehow be enabled on the server side because the desktop Teams app is flagging it as warning.
Sorry for not updating you, I am working on this internally, trying to repro the issue and get those warning. I will update you once I have any findings.

We have tried multiple way but we are not having repro of this issue. Can you please confirm if you are still facing this issue? and getting it on latest Teams client? Did you tried updating packages to latest.