[jira] [Commented] (WICKET-7037) [Ajax Download] cookie used to track download complete misses the SameSite attribute

Mon, 03 Apr 2023 03:27:03 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707904#comment-17707904
 ] 

ASF GitHub Bot commented on WICKET-7037:
----------------------------------------

reiern70 commented on code in PR #566:
URL: https://github.com/apache/wicket/pull/566#discussion_r1155773675


##########
wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/wicket-ajaxdownload.js:
##########
@@ -28,7 +28,7 @@
        Wicket.AjaxDownload = {
                initiate : function(settings) {
                        document.cookie = settings.name +
-                               '=;path=/;Max-Age=0;expires=Thu, 01 Jan 1970 
00:00:01 GMT';
+                               '=;path=/;Max-Age=0;expires=Thu, 01 Jan 1970 
00:00:01 GMT; SameSite=None; Secure';

Review Comment:
   A cookie is just some special header... Maybe this is teh approach we should 
follow here so that we can have the same at client side and server side. 
Because if we use setCookie then, at least in case fo tomcat, application sever 
will use its own machiney to write SameSite attibuture (e.g. see 
Rfc6265CookieProcessor)





> [Ajax Download] cookie used to track download complete misses the SameSite 
> attribute
> ------------------------------------------------------------------------------------
>
>                 Key: WICKET-7037
>                 URL: https://issues.apache.org/jira/browse/WICKET-7037
>             Project: Wicket
>          Issue Type: Bug
>            Reporter: Ernesto Reinaldo Barreiro
>            Assignee: Ernesto Reinaldo Barreiro
>            Priority: Major
>         Attachments: image-2023-04-02-11-58-25-399.png
>
>
> Firefox produces the following warining when using AjaxDownload
> Cookie “wicket-ajaxdownload-id63-0” does not have a proper “SameSite” 
> attribute value. Soon, cookies without the “SameSite” attribute or with an 
> invalid value will be treated as “Lax”. This means that the cookie will no 
> longer be sent in third-party contexts. If your application depends on this 
> cookie being available in such contexts, please add the “SameSite=None“ 
> attribute to it. To know more about the “SameSite“ attribute, read 
> [https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
>  
> from 
>  
> !image-2023-04-02-11-58-25-399.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to