[jira] [Commented] (WICKET-7037) [Ajax Download] cookie used to track download complete misses the SameSite attribute

Mon, 03 Apr 2023 01:15:04 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707809#comment-17707809
 ] 

ASF GitHub Bot commented on WICKET-7037:
----------------------------------------

reiern70 commented on code in PR #566:
URL: https://github.com/apache/wicket/pull/566#discussion_r1155624709


##########
wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/wicket-ajaxdownload.js:
##########
@@ -28,7 +28,7 @@
        Wicket.AjaxDownload = {
                initiate : function(settings) {
                        document.cookie = settings.name +
-                               '=;path=/;Max-Age=0;expires=Thu, 01 Jan 1970 
00:00:01 GMT';
+                               '=;path=/;Max-Age=0;expires=Thu, 01 Jan 1970 
00:00:01 GMT; SameSite=None; Secure';

Review Comment:
   > I'm not sure regarding this change
   > 
   > One of use-cases of our application is "Run inside `iframe`" This mode 
requires modification of `webapps/_ctx_/META-INF/context.xml` And setting
   > 
   > `<CookieProcessor sameSiteCookies="None" />` (Lax by default)
   > 
   > So _maybe_ Servlet container can handle this?
   
   I don't think so becase this is used by server side cookie processor like in 
code bellow 
   
   
![image](https://user-images.githubusercontent.com/462655/229450273-ea8247c1-be69-4c68-ac10-325f6b085d6e.png)
   
   to add the SameSite thing to server side generated cookies. Maybe the we 
should make this configurable by passing some paramter to the JavaScript layer?
   
   





> [Ajax Download] cookie used to track download complete misses the SameSite 
> attribute
> ------------------------------------------------------------------------------------
>
>                 Key: WICKET-7037
>                 URL: https://issues.apache.org/jira/browse/WICKET-7037
>             Project: Wicket
>          Issue Type: Bug
>            Reporter: Ernesto Reinaldo Barreiro
>            Assignee: Ernesto Reinaldo Barreiro
>            Priority: Major
>         Attachments: image-2023-04-02-11-58-25-399.png
>
>
> Firefox produces the following warining when using AjaxDonwload
> Cookie “wicket-ajaxdownload-id63-0” does not have a proper “SameSite” 
> attribute value. Soon, cookies without the “SameSite” attribute or with an 
> invalid value will be treated as “Lax”. This means that the cookie will no 
> longer be sent in third-party contexts. If your application depends on this 
> cookie being available in such contexts, please add the “SameSite=None“ 
> attribute to it. To know more about the “SameSite“ attribute, read 
> [https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
>  
> from 
>  
> !image-2023-04-02-11-58-25-399.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to