要約

When attempting to add a new project to the list of projects that should be mirrored in Google Chrome, the following error is displayed:

"Failed to add projects. Some projects could not be added. Please refresh the page and try again."

In addition, the domain being used by the mirror and primary Bitbucket instances are not the same. Ex:

• mybitbucketinstance.com - Primary Bitbucket instance
• mybitbucketmirror.com - Mirror

環境

• Bitbucket - Data Center 
• Browser - Google Chrome (version 80+ under "Help > About Google Chrome")

診断

When opening the developer console in Google Chrome, a POST request to the URL "https://mirrorservername.com/rest/mirroring/latest/upstreamServers/<UpstreamServerID>/settings/projects" can be seen which returns back a '401 Unauthorized' status code and has the following content in the response:

{
  "errors": [
    {
      "context": null,
      "message": "You are not permitted to access this resource",
      "exceptionName": "com.atlassian.bitbucket.AuthorisationException"
    }
  ]
}

In addition, when reviewing the JavaScript console, the following warning message can be seen:

A cookie associated with a cross-site resource at https://mybitbucketmirrror.com/ was set without the `SameSite` attribute. 
It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. 
You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

原因

This error is thrown because the mirror is unable to set the necessary BITBUCKETSESSIONID cookie when loading the mirror administration page - resulting in any requests to the mirror being unauthenticated.

This cookie is ultimately unable to be set because the 'Set-Cookie' header within the response from the mirror is blocked by Google Chrome due to a recent change that was implemented in Google Chrome version 80+.

This change makes it so that any cookies set for a domain that differs from the domain of the page being visited are not allowed unless the cookie contains the appropriate 'SameSite' value. As Bitbucket doesn't specify this attribute, the request is then blocked.

ソリューション

There is currently an open bug request to address the need for this BITBUCKETSESSIONID cookie to be set despite the domain for the mirror and the primary Bitbucket instance being different:

• BSERV-12619 - Getting issue details... STATUS

回避策

Any of the below options are available in order to get past this error when configuring the projects to be synchronized to this mirror server:

• Try clearing the browser cache
• Try using a different browser such as Firefox

• Change the domain of your mirrors to match the domain of your primary Bitbucket instance.

  • Using a context-path is a good alternative for helping to create distinct URLs for multiple different mirrors in one Bitbucket instance.

• Use a reverse proxy to rewrite the 'Set-Cookie' header to contain the needed SameSite attribute, using something similar to the following rule:

http-response replace-header Set-Cookie ^(BITBUCKETSESSIONID=.*) \1;\ SameSite=None

 The above-mentioned workaround is specifically for HAProxy reverse proxy. If you are using a different reverse proxy, you may need to add the corresponding entry to achieve the same results.