You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/10/18 17:27:33 UTC
[Bug 63865] New: Cookie Attribute SameSite=None is default to unset
in Chrome browser
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
Bug ID: 63865
Summary: Cookie Attribute SameSite=None is default to unset in
Chrome browser
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: pushyami@umich.edu
Target Milestone: ----
This PR for Tomcat added support for SameSite Cookie attribute,
https://github.com/apache/tomcat/pull/162/files. One thing I noticed is if I
configure SameSite=None then Tomcat is setting to unset in Broswer,
documentation echo that behviour.
With Chrome 77, I see a warning which is trying to say that SameSite should be
either be Set to None, Lax, Strict.
Chrome Warning:
"A cookie associated with a cross-site resource at http://localhost/ was set
without the `SameSite` attribute. A future release of Chrome will only deliver
cookies with cross-site requests if they are set with `SameSite=None` and
`Secure`. You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032"
I have an application(Which we call it an LTI
tool(https://www.imsglobal.org/activity/learning-tools-interoperability) that
is embeded inside another application so that user have seamless experience and
that's how it need to operate. In my Case SameSite=None is approperaite setting
for application running, current tomcat 8 if set to None it is unseting in the
value in browser. And it looks like future browsers what it to set to either od
those options None, Lax, Strict.
Can you allow in Tomcat to set to None if user choose that option instead of
defaulting to unset?
context.xml
<Context>
<CookieProcessor sameSiteCookies="None" />
</Context>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- master for 9.0.28 onwards
- 8.5.x for 8.5.48 onwards
Thanks to John Kelly for the PR.
https://github.com/apache/tomcat/pull/219
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |matthew.buckett@ctl.ox.ac.u
| |k
--- Comment #6 from Mark Thomas <ma...@apache.org> ---
*** Bug 63947 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #8 from Mark Thomas <ma...@apache.org> ---
Yes, it clearly is.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
--- Comment #4 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Pushyami Gundala from comment #3)
> Thanks for the fix. When will 8.5.48 going to be released? as Chrome 80 is
> scheduled to release Feb 4, 2020
> https://www.chromestatus.com/features/schedule
Looks like markt has just proposed a round of releases, including what will
(likely) be 8.5.48. You should certainly have plenty of time before Chrome 80
is released.
If you have further questions, please post to the users' mailing list as
Bugzilla is not a support forum but a bug-tracker.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
--- Comment #5 from Remy Maucherat <re...@apache.org> ---
There's a release batch almost every month, so please stop asking "when" ...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
Bob <al...@gmx.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
--- Comment #7 from Bob <al...@gmx.de> ---
It seems that -unlike whatthe release notes say- this patch is NOT in 8.5.50 ,
at least not in the sources tagged with it (also no .51 !)
Check
https://github.com/apache/tomcat/blob/8.5.50/java/org/apache/tomcat/util/http/CookieProcessorBase.java
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
--- Comment #3 from Pushyami Gundala <pu...@umich.edu> ---
Thanks for the fix. When will 8.5.48 going to be released? as Chrome 80 is
scheduled to release Feb 4, 2020 https://www.chromestatus.com/features/schedule
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63865] Cookie Attribute SameSite=None is default to unset in
Chrome browser
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
--- Comment #1 from Prakash Saraf <pp...@gmail.com> ---
Google Chrome will also default all cookies without "SameSite" attribute to
"Samesite=LAX" effective from Chrome v80. So, its important that if the value
is set to NONE, tomcat does honor that and put SameSite=NONE rather unsetting
it.
Reference for upcoming Chrome change -
https://www.chromestatus.com/feature/5088147346030592
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org