Partitioned cookies

[Adam Warfield <aw...@opentext.com.INVALID>]

The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but starting in 2024, browsers will begin enforcing the newer "Partitioned" attribute for third-party cookies. Is there a way to set this attribute within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any webapps that are embedded within iframes across domains where those cookies will be rejected if not partitioned.

Adam

Re: Partitioned cookies

[Christopher Schultz <ch...@christopherschultz.net>]

Adam,

On 11/15/23 09:06, Adam Warfield wrote:
> The Rfc6265CookieProcessor supports setting the SameSite cookie
> attribute but starting in 2024, browsers will begin enforcing the
> newer "Partitioned" attribute for third-party cookies.
> 
> Is there a way to set this attribute within Tomcat for things like the
> JSESSIONID and XSRF-TOKEN cookies?

Wait... are you using cookies for CSRF tokens? That doesn't really 
provide much protection. Your CSRF cookie will be transmitted along with 
any request, even "forged" requests.

Are you responsible for the primary web application, here, or are you 
responsible for a third-party site such as an advertiser, back-end 
service, etc.?

> This affects any webapps that are embedded within iframes across
> domains where those cookies will be rejected if not partitioned.

If you migrate to Tomcat 10.1 or later (with Jakarta Servlet APIs), 
there is Cookie.setAttributeString name, String value)[1]

If you cannot upgrade to Tomcat 10 in time, then you can simply resort 
to setting the headers directly:

response.addHeader("Set-Cookie", "XSRF-TOKEN=foo; Partitioned");

-chris

[1] 
https://jakarta.ee/specifications/servlet/6.0/apidocs/jakarta.servlet/jakarta/servlet/http/cookie#setAttribute(java.lang.String,java.lang.String)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [EXTERNAL] - Re: Partitioned cookies

[Christopher Schultz <ch...@christopherschultz.net>]

Mark,

On 12/15/23 04:03, Mark Thomas wrote:
> On 14/12/2023 21:15, André van der Lugt wrote:
> 
>>> From: Chuck Caldarale <ma...@gmail.com>
>>> Sent: Wednesday, November 15, 2023 9:48 AM
>>> To: Tomcat Users List <ma...@tomcat.apache.org>
>>> Subject: [EXTERNAL] - Re: Partitioned cookies
>>>
>>>> On Nov 15, 2023, at 08:06, Adam Warfield
>>>> <ma...@opentext.com.INVALID> wrote:
>>>>
>>>> The Rfc6265CookieProcessor supports setting the SameSite cookie 
>>>> attribute
>>>> but starting in 2024, browsers will begin enforcing the newer 
>>>> "Partitioned"
>>>> attribute for third-party cookies. Is there a way to set this 
>>>> attribute within
>>>> Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This 
>>>> affects
>>>> any webapps that are embedded within iframes across domains where those
>>>> cookies will be rejected if not partitioned.
>>>
>>>
>>> Looks like the CHIPS proposal:
>>>
>>> https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/
>>>
>>>
>>> expired this past May and no updated version has been submitted to 
>>> IETF. Is
>>> there some other active standards document describing cookie 
>>> partitioning?
>>>
>>>    - Chuck
>>
>> Standard or not, Google/Chrome is moving on and will (as noted above) 
>> soon start to gradually reject third-party cookies without the 
>> Partitioned attribute.
>>
>> I'm kindly asking the experts: is Tomcat support for this feature 
>> being planned?
> 
> No.
> 
>> If not, what can be done to modestly prioritize it?
> 
> Open an enhancement request in Bugzilla. Better still, provide a PR to 
> implement the change.

No need, right? Tomcat 10 has Cookie.setAttribute(), as I mentioned back 
on 2023-11-16 in response to the OP.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [EXTERNAL] - Re: Partitioned cookies

[Mark Thomas <ma...@apache.org>]

On 14/12/2023 21:15, André van der Lugt wrote:

>> From: Chuck Caldarale <ma...@gmail.com>
>> Sent: Wednesday, November 15, 2023 9:48 AM
>> To: Tomcat Users List <ma...@tomcat.apache.org>
>> Subject: [EXTERNAL] - Re: Partitioned cookies
>>
>>> On Nov 15, 2023, at 08:06, Adam Warfield
>>> <ma...@opentext.com.INVALID> wrote:
>>>
>>> The Rfc6265CookieProcessor supports setting the SameSite cookie attribute
>>> but starting in 2024, browsers will begin enforcing the newer "Partitioned"
>>> attribute for third-party cookies. Is there a way to set this attribute within
>>> Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects
>>> any webapps that are embedded within iframes across domains where those
>>> cookies will be rejected if not partitioned.
>>
>>
>> Looks like the CHIPS proposal:
>>
>> https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/
>>
>>
>> expired this past May and no updated version has been submitted to IETF. Is
>> there some other active standards document describing cookie partitioning?
>>
>>    - Chuck
> 
> Standard or not, Google/Chrome is moving on and will (as noted above) soon start to gradually reject third-party cookies without the Partitioned attribute.
> 
> I'm kindly asking the experts: is Tomcat support for this feature being planned?

No.

> If not, what can be done to modestly prioritize it?

Open an enhancement request in Bugzilla. Better still, provide a PR to 
implement the change.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: [EXTERNAL] - Re: Partitioned cookies

[André van der Lugt <av...@outlook.com>]

> -----Original Message-----
> From: Adam Warfield <aw...@opentext.com.INVALID>
> Sent: woensdag 15 november 2023 16:49
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: [EXTERNAL] - Re: Partitioned cookies
> 
> That's strange. I was not aware the proposal had expired. I've been working
> off of a few pages as it seemed Chrome/Edge were moving forward with
> Firefox at least showing positive support without committing.
> 
> https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/  (October 2023)
>
> https://github.com/mozilla/standards-positions/issues/678  (Firefox showing positive support, last updated 2022)
>
> https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies
>
> https://github.com/privacycg/CHIPS
> 
> 
> Adam
> 
> ________________________________________
> From: Chuck Caldarale <ma...@gmail.com>
> Sent: Wednesday, November 15, 2023 9:48 AM
> To: Tomcat Users List <ma...@tomcat.apache.org>
> Subject: [EXTERNAL] - Re: Partitioned cookies
> 
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe. If you feel that the email is suspicious, please report it using
> PhishAlarm.
> 
> 
>> On Nov 15, 2023, at 08:06, Adam Warfield
>> <ma...@opentext.com.INVALID> wrote:
>> 
>> The Rfc6265CookieProcessor supports setting the SameSite cookie attribute
>> but starting in 2024, browsers will begin enforcing the newer "Partitioned"
>> attribute for third-party cookies. Is there a way to set this attribute within
>> Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects
>> any webapps that are embedded within iframes across domains where those
>> cookies will be rejected if not partitioned.
> 
> 
> Looks like the CHIPS proposal:
> 
> https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/
> 
> 
> expired this past May and no updated version has been submitted to IETF. Is
> there some other active standards document describing cookie partitioning?
> 
>   - Chuck

Standard or not, Google/Chrome is moving on and will (as noted above) soon start to gradually reject third-party cookies without the Partitioned attribute.

I'm kindly asking the experts: is Tomcat support for this feature being planned? If not, what can be done to modestly prioritize it?

André


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [EXTERNAL] - Re: Partitioned cookies

[Adam Warfield <aw...@opentext.com.INVALID>]

That's strange. I was not aware the proposal had expired. I've been working off of a few pages as it seemed Chrome/Edge were moving forward with Firefox at least showing positive support without committing.

https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/  (October 2023)

https://github.com/mozilla/standards-positions/issues/678  (Firefox showing positive support, last updated 2022)

https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies

https://github.com/privacycg/CHIPS


Adam

________________________________
From: Chuck Caldarale <n8...@gmail.com>
Sent: Wednesday, November 15, 2023 9:48 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: [EXTERNAL] - Re: Partitioned cookies

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you feel that the email is suspicious, please report it using PhishAlarm.


On Nov 15, 2023, at 08:06, Adam Warfield <aw...@opentext.com.INVALID> wrote:

The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but starting in 2024, browsers will begin enforcing the newer "Partitioned" attribute for third-party cookies. Is there a way to set this attribute within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any webapps that are embedded within iframes across domains where those cookies will be rejected if not partitioned.


Looks like the CHIPS proposal:

Cookies Having Independent Partitioned State specification<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$>
datatracker.ietf.org<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$>
[ietf-logo-nor-180.png]<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$>

expired this past May and no updated version has been submitted to IETF. Is there some other active standards document describing cookie partitioning?

  - Chuck

Re: Partitioned cookies

[Chuck Caldarale <n8...@gmail.com>]

> On Nov 15, 2023, at 08:06, Adam Warfield <aw...@opentext.com.INVALID> wrote:
> 
> The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but starting in 2024, browsers will begin enforcing the newer "Partitioned" attribute for third-party cookies. Is there a way to set this attribute within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any webapps that are embedded within iframes across domains where those cookies will be rejected if not partitioned.



Looks like the CHIPS proposal:

https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/

expired this past May and no updated version has been submitted to IETF. Is there some other active standards document describing cookie partitioning?

  - Chuck