You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/12/05 19:11:00 UTC

[jira] [Commented] (NIFI-10899) Apply SameSite Attribute to Cookies

    [ https://issues.apache.org/jira/browse/NIFI-10899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17643519#comment-17643519 ] 

ASF subversion and git services commented on NIFI-10899:
--------------------------------------------------------

Commit 45a31c7286b89a12487054078c9f1adea18b0fcb in nifi's branch refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=45a31c7286 ]

NIFI-10899 Added SameSite Policy to Application Cookies

- Added __Secure prefix to Application Cookie Names

Signed-off-by: Nathan Gough <th...@gmail.com>

This closes #6735.


> Apply SameSite Attribute to Cookies
> -----------------------------------
>
>                 Key: NIFI-10899
>                 URL: https://issues.apache.org/jira/browse/NIFI-10899
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Security
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> The standard {{Authorization-Bearer}} cookie includes the [SameSite|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite] attribute in the {{Set-Cookie}} response header, but other cookies for CSRF mitigation, logout processing, and external authentication service integration do not apply the attribute when setting cookies.
> The Java Servlet [Cookie|https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html] does not support the {{SameSite}} attribute, but the NiFi {{StandardApplicationCookieService}} uses the Spring Response Cookie Builder, which supports the attribute and is capable of applying it to {{Set-Cookie}} headers. Direct use of the Java Servlet {{Cookie}} should be replaced with the implementation approach that supports setting the {{SameSite}} attribute to avoid warnings in modern browsers. In absence of the {{SameSite}} attribute, browsers default to {{{}Lax{}}}, but this can be changed to {{Strict}} in most cases.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)