You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Juri Berlanda (Jira)" <ji...@apache.org> on 2021/08/13 09:15:00 UTC
[jira] [Created] (DELTASPIKE-1435) dsrwid cookie should not be set
to sameSite="None" - again
Juri Berlanda created DELTASPIKE-1435:
-----------------------------------------
Summary: dsrwid cookie should not be set to sameSite="None" - again
Key: DELTASPIKE-1435
URL: https://issues.apache.org/jira/browse/DELTASPIKE-1435
Project: DeltaSpike
Issue Type: Bug
Security Level: public (Regular issues)
Affects Versions: 1.9.5
Reporter: Juri Berlanda
Very similar to DELTASPIKE-1413, this refers to the missing {{SameSite}} attribute in {{ windowhandler.js}} (https://github.com/apache/deltaspike/blob/deltaspike-1.9.5/deltaspike/modules/jsf/impl/src/main/resources/META-INF/resources/deltaspike/windowhandler.js#L619)
This means, that the following warning still appears in Firefox (tested on 90.0.2):
{quote}Cookie “dsrwid-326” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
windowhandler.js.xhtml:17:364{quote}
Now, I'd propose to set the cookie to {{SameSite=Strict}} here, too. PR is in the works.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)