SR-D79178 · Issue 543312
SameSite cookie setting added for Mashup support in Google Chrome v80+
Resolved in Pega Version 8.2.6
The Google Chrome browser version 80 and above now treats SameSite with a blank value as "Lax" by default, causing mashup scenarios to break. In order to compensate for this change, support has been added for setting SameSite=None in Cookie Settings in the CSRF LP (DevStudio-> System-> Setting-> CrossSiteRequestForgery) which will enforce HTTPS for the Pega server and mashup. Note: The SameSite cookie may be set to None/Lax/Strict, based on the requirement. For mashups to work, SameSite should be set as None. To follow proper security standards, it should be set as Strict.
SR-D83053 · Issue 544268
SameSite cookie setting added for Mashup support in Google Chrome v80+
Resolved in Pega Version 8.2.6
The Google Chrome browser version 80 and above now treats SameSite with a blank value as "Lax" by default, causing mashup scenarios to break. In order to compensate for this change, support has been added for setting SameSite=None in Cookie Settings in the CSRF LP (DevStudio-> System-> Setting-> CrossSiteRequestForgery) which will enforce HTTPS for the Pega server and mashup. Note: The SameSite cookie may be set to None/Lax/Strict, based on the requirement. For mashups to work, SameSite should be set as None. To follow proper security standards, it should be set as Strict.
SR-D83192 · Issue 545057
JobScheduler DST handling updated
Resolved in Pega Version 8.2.6
When the locale being used changed out of Daylight Savings Time, scheduled jobs did run at the same local time as before but instead ran an hour earlier than expected. Investigation showed that jobscheduler calculated the next runtime based on the time difference from the cluster reference time and current time in milliseconds, and this offset in milliseconds was added to next run time. Since the cluster was started in DST, the job was running on same time due to the time difference. To resolve this, the system will use a calculation offset and set hours/minutes to nextRunTime object so that calendar lib handles daylight savings.
SR-C93602 · Issue 485517
White list filter added for X-Forward-Host value security
Resolved in Pega Version 8.3.2
In order to improve security, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D37894 · Issue 505974
Query parameters will be cleared after redirection from authentication
Resolved in Pega Version 8.3.2
When using the /PRAuth Servlet, running a snapstart URL generated from a secondary application correctly executed SAML Authentication and Pega processing, but a second URL generated with different parameters ran with the parameters from the first request. The third and subsequent requests processed as expected with the parameters sent in with the request. Investigation showed that the previous parameters were picked due to the query string parameters not being cleared after redirection, and this issue has been resolved by updating the system so it will clear the parameters after issuing a redirect from the authentication policy engine.
SR-D41454 · Issue 506535
Updated HotFix Manager for use in older versions
Resolved in Pega Version 8.3.2
The DL logic in Hotfix Manager was changed in 8.3 to include the catalog of all framework changes. This had the unintended side effect of preventing DLs from being installed in Pega 7.3.1 and lower versions as the versions included in the catalog are not present on those systems and the validation failed. This has been resolved by revising the DL update so the system will only add all apps to the catalog for platform 7.4+ DLs.
SR-D46133 · Issue 534649
Colon in folder or file name will be replaced with underscore during unzip
Resolved in Pega Version 8.3.2
After creating a product file (zip), attempting to import the same file into an updated system resulted in an exception. Investigation showed that in this case the zip file was a Product rule form which had applications packaged with a colon(:) in the name of the application, a format that was allowed in 6.x versions. Because Windows machines restrict creating creating any folder or file with : in its name, the zip file could not be inflated as part of the import process. To resolve this, the system has been updated so that a colon(:) will be replaced by underscore(_) during inflate operations.
SR-D46536 · Issue 515792
Custom agent next run time will be rescheduled if the run failed
Resolved in Pega Version 8.3.2
If a customized agent that was set to run every day encountered an exception and failed to run, restarting the agent did not update it to the next run time; it still returned the passed trigger time as its next execution time. This has been resolved with an update that will reschedule the run if the next run time is in the past.
SR-D46681 · Issue 514432
SnapStart supports SAML2 Authentication
Resolved in Pega Version 8.3.2
When using an HTTP Post to SnapStart into Pega using PRCustom style or PRAuth style SAML authentication, the login was looping back to the login request. Investigation showed that the Pega ACS was posting data properly back to the RelayState URL, however the login activity was not getting the SAMLResponse and simply sent a SAML Login Request again. This has been fixed by updating reqContextURI in case of SAML2 Authentication service so pyActivity=value will be passed.
SR-D47685 · Issue 514645
Cookie logging restored
Resolved in Pega Version 8.3.2
As part of security updates, Cookies were restricted from being logged. However, this caused some business use cases such as a custom function call to obtain the list of cookies that are present in the application to stop working. To resolve this, the cookie logging restriction has been reverted.