[jira] [Commented] (WICKET-7037) [Ajax Download] cookie used to track download complete misses the SameSite attribute

Mon, 03 Apr 2023 23:39:07 -0700 


    [ 
https://issues.apache.org/jira/browse/WICKET-7037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708247#comment-17708247
 ] 

ASF GitHub Bot commented on WICKET-7037:
----------------------------------------

reiern70 commented on PR #566:
URL: https://github.com/apache/wicket/pull/566#issuecomment-1495428332

   > @reiern70 my only concern is to avoid breakage of currently working 
applications with this change :( I can't test your code using my use case right 
now :( I need to set-up the whole chain of applications (but don't have enough 
time :((( )
   > 
   > If you sure your change is safe - I will be happy to approve it :))
   
   @solomax 
   
   As it is right now it will for certain break some application. As stated 
before I don't see a clear way to fix this on 9.x master as Cookie class offers 
no setters for SameSite and this is added, at least in tomcat, via some 
impememntation CookieProcessor inetrface that transform cookies into a cookie 
header. I will see what I can do otherwise I close this PR 
   




> [Ajax Download] cookie used to track download complete misses the SameSite 
> attribute
> ------------------------------------------------------------------------------------
>
>                 Key: WICKET-7037
>                 URL: https://issues.apache.org/jira/browse/WICKET-7037
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 9.12.0
>            Reporter: Ernesto Reinaldo Barreiro
>            Assignee: Ernesto Reinaldo Barreiro
>            Priority: Major
>             Fix For: 10.0.0, 9.13.0
>
>         Attachments: image-2023-04-02-11-58-25-399.png
>
>
> Firefox produces the following warining when using AjaxDownload
> Cookie “wicket-ajaxdownload-id63-0” does not have a proper “SameSite” 
> attribute value. Soon, cookies without the “SameSite” attribute or with an 
> invalid value will be treated as “Lax”. This means that the cookie will no 
> longer be sent in third-party contexts. If your application depends on this 
> cookie being available in such contexts, please add the “SameSite=None“ 
> attribute to it. To know more about the “SameSite“ attribute, read 
> [https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
>  
> from 
>  
> !image-2023-04-02-11-58-25-399.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to