You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Matthias Walliczek (Jira)" <ji...@apache.org> on 2020/07/15 14:11:00 UTC
[jira] [Updated] (DELTASPIKE-1413) dsrwid cookie should not be set
to sameSite="None"
[ https://issues.apache.org/jira/browse/DELTASPIKE-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matthias Walliczek updated DELTASPIKE-1413:
-------------------------------------------
Summary: dsrwid cookie should not be set to sameSite="None" (was: dsrwid cookie should not be set to sameSite "None")
> dsrwid cookie should not be set to sameSite="None"
> --------------------------------------------------
>
> Key: DELTASPIKE-1413
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1413
> Project: DeltaSpike
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Matthias Walliczek
> Priority: Critical
>
> Currently the dsrwid cookie set by the lazy window handler is set to secure=false and sameSite=None.
> This combination will not be allowed by Firefox in the future. See [https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite.|https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
> Instead sameSite should be set to "lax", which is default in modern browsers.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)