Access Denied

11 Comments

  • Devan - Community Manager
    Comment actions Permalink

    Hello Therese Kirchner,

    I would recommend making sure Chrome is updated and that all your addons are disabled when attempting to access Zendesk. If this is still impacting you, though let us know, and we'll be happy to dig deeper into what could be affecting you. 

    Best regards.

     

    0
  • Therese Kirchner
    Comment actions Permalink

    My browser is up to date and the only addon I have is Grammarly, which I've been using in Zendesk (and my whole team uses) daily.  

     

    0
  • Therese Kirchner
    Comment actions Permalink

    I've tried using Safari also, but I'm getting an error that my cookies are restricted and I can't login.  But my cookies aren't restricted at all.  One of my co-workers has this same error, while another uses Safari as his preferred browser.  

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hey Therese,

    Definitely seems like there's some odd behavior going on here. I'm going to create a ticket on your behalf so our Customer Advocacy team can look into this.

    You'll receive an email shortly stating your ticket has been created.

    Cheers!

    0
  • Therese Kirchner
    Comment actions Permalink

    Thanks, Brett!

    0
  • Andrew Soderberg
    Comment actions Permalink

    I am having the same source issue as Therese (I think this is also what is causing her Knowledge Capture to vanish). With a Mac using Safari, I attempt to login at https://support.verimatrix.com/access/normal/ I'm getting the error that my browser is restricting cookies, and I can't login. 

    But in fact I am not restricting any cookies in Safari. I have no control over this as technically Safari is internally restricting Zendesk's cookies due to a new security initiative to improve browser security and privacy on the web.

    This issue is new as of MacOS Catalina 10.15.2 and Safari 13.0.4. Before the latest MacOS update this problem did not occur in Safari.

    Note that when I use the latest versions of Chrome and Firefox with the URL above, there is no cookie warning and no problem being able to login.

    Or, when I use Safari to login to our portal via our account in the Zendesk domain directly at: https://verimatrix.zendesk.com/access/normal/ this issue does not occur (proving that Safari does not have problems storing cookies, and as there is no cross site cookie issue), everything is in the zendesk.com domain.

    Investigating further, I used Chrome's debugger tool when logging into our URL and found the following warning:  

    "A cookie associated with a cross-site resource at http://verimatrix.zendesk.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can find more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032."

    It looks to me that the latest version of Safari (13.0.4) has already implemented this security protocol regarding cross site cookies needing to request `SameSite=None` and be marked `Secure`. The cookies in question have no value and are being marked (in Chrome) as SameSite=Lax

    It is bad enough that this affects our Mac users today, but Chrome will begin enforcing this security in February of 2020 (details here: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html) and then all Windows and MacOS Chrome users will also be affected. I have found that Microsoft's Edge developers and the Firefox developers are currently planning the same: 

    https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/AknSSyQTGYs/8lMmI5DwEAAJ

    https://groups.google.com/forum/#!msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ

    And to reassure myself that I wasn't missing something, I edited my Firefox about:config to set network.cookie.sameSite.noneRequiresSecure to equal 'true'. Attempting to login at support.verimatrix.com/access/normal/ low and behold Firefox now displays the same error as in the image above from the current Safari browser.

    This same behavior can be tested in Chrome 76 by enabling chrome://flags/#same-site-by-default-cookies AND chrome://flags/

    This is also likely the cause of why Therese's Knowledge Capture disappeared. I believe if Therese were to set her Chrome setting for the two items above back to 'default' that will fix her issue for the short term. 

    Zendesk needs to modify the cookies that are loaded to request `SameSite=None` and be marked `Secure` to fix this issue when being called from its customer's branded URLs.

    Without Zendesk making this change, we, your customers, will not be able to continue to use our own domain name URLs for our customers to access our Zendesk portals. I hope this gets escalated to the software team for correction sooner than later, as I am sure that many of Zendesk's largest customers have huge investments (printed docs, websites, etc.) that all refer to their own domain names for logging into their Zendesk Support portals. I know I am not going to enjoy that I have to change all our communication materials on how to login to our support portal if this is not fixed soon.

    Respectfully,

    Andrew

     

    1
  • Andrew Soderberg
    Comment actions Permalink

    Update on my post above. While everything about the technical issues of the post and the corrective work needed are accurate, the cause of my issue in Safari may not be due to Safari's developers implementing the new cookie security. I have found the article linked below that states:

    "WebKit, the browser engine used by Safari on macOS, iOS, and iPadOS, but also all browsers on the iOS/iPadOS platforms (Chrome, Firefox, etc. download from the AppStore), has a bug in it, which is setting SameSite=Strict instead of SameSite=None when provided."

    https://auth0.com/blog/browser-behavior-changes-what-developers-need-to-know/

    I have confirmed that the WebKit bug is fixed in iOS 13, it is likely but not yet confirmed if this has been brought across to MacOS 10.15 and fixed in Safari 13.0.x.

    This bug could be the cause what I am seeing on my Mac systems. If not and the WebKit bug is fixed in Safari, the fix that Zendesk needs to do remains the same.

    The linked article above also describes how to solve this issue, whether it be from  Apple implementing the new cookie security, or for those older browsers that do not know how to support 'SameSite=None` in cookies. This information shows Zendesk a way out to provide both support for the new cookie standards and security as well as older browsers that are still in use.

    Respectfully,

    Andrew

    1
  • Brett - Community Manager
    Comment actions Permalink

    Hey Andrew,

    Thanks for taking the time to share this with everyone! I see you have a ticket with this information escalated to our Tier 2 team. We will continue working with you on that ticket to gather more information.

    Cheers!

    0
  • Brian Correia
    Comment actions Permalink

    Any updates on this?

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hey Brian,

    No update currently, however, I can confirm this is something our security developers are looking into.

    This post will be updated once we have more information to provide.

    Thanks for you patience!

    -1
  • Devan - Community Manager
    Comment actions Permalink

    On Wednesday, February 5, from 10:00am-12:00pm CST, we'll have a special guest team of experts on hand to answer your questions about Support: Triggers and Email Workflows in your Zendesk Support instance for an AMA-style conversation!

    Just click the "new post" button and write up your question. Be sure to be as detailed as possible. The best questions include: 

    • What it is you're trying to do
    • What you've tried so far 
    • Any other context or relevant information
    • Screenshots, if you have them

    Questions posted to this topic in advance of the start time will be answered first thing on the 5th, so if you've got something you want our experts to look at, post it today!

    0

Please sign in to leave a comment.

Powered by Zendesk