You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2020/10/17 14:58:17 UTC
[shiro] branch 1.6.x updated: deleteMe cookie should use the
defined "sameSite"
This is an automated email from the ASF dual-hosted git repository.
bdemers pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/shiro.git
The following commit(s) were added to refs/heads/1.6.x by this push:
new b9973cb deleteMe cookie should use the defined "sameSite"
b9973cb is described below
commit b9973cbf8346f6b04bf1f5197ad91215c9d4e2a5
Author: Frederic Tregon <fr...@codingame.com>
AuthorDate: Thu Oct 1 11:11:53 2020 +0200
deleteMe cookie should use the defined "sameSite"
With Chrome increasing security of cookies not defining any SameSite options, the deleteMe cookie may be blocked by Chrome under some circumstances.
For example, when an app is used within a cross-site iframe, one must defined the option SameSite=None option. This works for the main cookie, but the deleteMe is currently blocked. This commit fixes this.
---
web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
index d28405c..b385ed5 100644
--- a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
+++ b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
@@ -398,7 +398,7 @@ public class SimpleCookie implements Cookie {
int version = getVersion();
boolean secure = isSecure();
boolean httpOnly = false; //no need to add the extra text, plus the value 'deleteMe' is not sensitive at all
- SameSiteOptions sameSite = null;
+ SameSiteOptions sameSite = getSameSite();
addCookieHeader(response, name, value, comment, domain, path, maxAge, version, secure, httpOnly, sameSite);