You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@deltaspike.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/03/31 08:33:00 UTC

[jira] [Commented] (DELTASPIKE-1435) dsrwid cookie should not be set to sameSite="None" - again

    [ https://issues.apache.org/jira/browse/DELTASPIKE-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707193#comment-17707193 ] 

ASF subversion and git services commented on DELTASPIKE-1435:
-------------------------------------------------------------

Commit 124c037c9dad77f0eea0b2deee06ad5331bb1719 in deltaspike's branch refs/heads/master from Thomas Andraschko
[ https://gitbox.apache.org/repos/asf?p=deltaspike.git;h=124c037c9 ]

Merge pull request #118 from j-be/jbe-DELTASPIKE-1435

DELTASPIKE-1435 Add SameSite=Strict to windowhandler.js

> dsrwid cookie should not be set to sameSite="None" - again
> ----------------------------------------------------------
>
>                 Key: DELTASPIKE-1435
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1435
>             Project: DeltaSpike
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>    Affects Versions: 1.9.5
>            Reporter: Juri Berlanda
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Very similar to DELTASPIKE-1413, this refers to the missing {{SameSite}} attribute in {{windowhandler.js}} (https://github.com/apache/deltaspike/blob/deltaspike-1.9.5/deltaspike/modules/jsf/impl/src/main/resources/META-INF/resources/deltaspike/windowhandler.js#L619)
> This means, that the following warning still appears in Firefox (tested on 90.0.2):
> {quote}Cookie “dsrwid-326” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 
> windowhandler.js.xhtml:17:364{quote}
> Now, I'd propose to set the cookie to {{SameSite=Strict}} here, too. PR is in the works.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)