SameSite update

cephalin · cephalin · commit 7ef62e8ff1b2 · 2020-01-20T13:30:12.000+01:00
diff --git a/articles/app-service/overview-authentication-authorization.md b/articles/app-service/overview-authentication-authorization.md
@@ -19,9 +19,9 @@ Azure App Service provides built-in authentication and authorization support, so
 Secure authentication and authorization require deep understanding of security, including federation, encryption, [JSON web tokens (JWT)](https://wikipedia.org/wiki/JSON_Web_Token) management, [grant types](https://oauth.net/2/grant-types/), and so on. App Service provides these utilities so that you can spend more time and energy on providing business value to your customer.
 
 > [!IMPORTANT]
-> You're not required to use App Service for AuthN/AuthO. Many web frameworks are bundled with security features, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities.  
+> You're not required to use App Service for AuthN/AuthO. You can use the bundled security features in your web framework of choice, or you can write your own utilities. However, keep in mind that [Chrome 80 is making breaking changes to its implementation of SameSite for cookies](https://www.chromestatus.com/feature/5088147346030592) (release date around March 2020), and any custom authentication mechanism may break when client Chrome browsers are updated. The workaround is complex because it needs to support different SameSite behaviors for different browsers. 
 >
-> However, if you go with any of the non-App Service options for remote authentication, keep in mind that [Chrome 80 is making breaking changes to its implementation of SameSite for cookies](https://www.chromestatus.com/feature/5088147346030592) (release date around March 2020), and your app's authentication mechanism may break when client browsers are updated. The ASP.NET Core documentation has information on how to address this in your app, at [HTTP: Browser SameSite changes impact authentication](/dotnet/core/compatibility/3.0-3.1#http-browser-samesite-changes-impact-authentication). It contains helpful guidance on how to test for this breaking change against the major browsers, regardless if you're using ASP.NET Core or not.
+> The ASP.NET Core 2.1 and above versions hosted by App Service are already patched for this breaking change and handle Chrome 80 and older browsers appropriately. In addition, the same patch for ASP.NET Framework 4.7.2 is being deployed on the App Service instances throughout January 2020. For more information, including how to know if your app has received the patch, see [Azure App Service SameSite cookie update](https://azure.microsoft.com/updates/app-service-samesite-cookie-update/).
 >
 
 For information specific to native mobile apps, see [User authentication and authorization for mobile apps with Azure App Service](../app-service-mobile/app-service-mobile-auth.md).

Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,9 @@ Azure App Service provides built-in authentication and authorization support, so`
`19`	`19`	`Secure authentication and authorization require deep understanding of security, including federation, encryption, [JSON web tokens (JWT)](https://wikipedia.org/wiki/JSON_Web_Token) management, [grant types](https://oauth.net/2/grant-types/), and so on. App Service provides these utilities so that you can spend more time and energy on providing business value to your customer.`
`20`	`20`
`21`	`21`	`> [!IMPORTANT]`
`22`		`-> You're not required to use App Service for AuthN/AuthO. Many web frameworks are bundled with security features, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities.`
	`22`	+> You're not required to use App Service for AuthN/AuthO. You can use the bundled security features in your web framework of choice, or you can write your own utilities. However, keep in mind that [Chrome 80 is making breaking changes to its implementation of SameSite for cookies](https://www.chromestatus.com/feature/5088147346030592) (release date around March 2020), and any custom authentication mechanism may break when client Chrome browsers are updated. The workaround is complex because it needs to support different SameSite behaviors for different browsers.
`23`	`23`	`>`
`24`		-> However, if you go with any of the non-App Service options for remote authentication, keep in mind that [Chrome 80 is making breaking changes to its implementation of SameSite for cookies](https://www.chromestatus.com/feature/5088147346030592) (release date around March 2020), and your app's authentication mechanism may break when client browsers are updated. The ASP.NET Core documentation has information on how to address this in your app, at [HTTP: Browser SameSite changes impact authentication](/dotnet/core/compatibility/3.0-3.1#http-browser-samesite-changes-impact-authentication). It contains helpful guidance on how to test for this breaking change against the major browsers, regardless if you're using ASP.NET Core or not.
	`24`	`+> The ASP.NET Core 2.1 and above versions hosted by App Service are already patched for this breaking change and handle Chrome 80 and older browsers appropriately. In addition, the same patch for ASP.NET Framework 4.7.2 is being deployed on the App Service instances throughout January 2020. For more information, including how to know if your app has received the patch, see [Azure App Service SameSite cookie update](https://azure.microsoft.com/updates/app-service-samesite-cookie-update/).`
`25`	`25`	`>`
`26`	`26`
`27`	`27`	`For information specific to native mobile apps, see [User authentication and authorization for mobile apps with Azure App Service](../app-service-mobile/app-service-mobile-auth.md).`