This is an automated email from the ASF dual-hosted git repository.

mgrigorov pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/master by this push:
     new f0b4b1b3b6 WICKET-7038: Add support for SameSite setting to 
CookieDefaults
f0b4b1b3b6 is described below

commit f0b4b1b3b63f33e12c8b2b04e22fcf73b773ec34
Author: Martin Tzvetanov Grigorov <[email protected]>
AuthorDate: Tue Apr 4 09:46:47 2023 +0300

    WICKET-7038: Add support for SameSite setting to CookieDefaults
    
    Signed-off-by: Martin Tzvetanov Grigorov <[email protected]>
---
 .../apache/wicket/util/cookies/CookieDefaults.java | 53 ++++++++++++++++++++++
 .../apache/wicket/util/cookies/CookieUtils.java    |  6 +++
 2 files changed, 59 insertions(+)

diff --git 
a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java 
b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
index 7693fa88d4..399ae53167 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
@@ -28,6 +28,29 @@ public class CookieDefaults implements IClusterable
 {
        private static final long serialVersionUID = 1L;
 
+       public enum SameSite
+       {
+               /**
+                * Cookies will be sent in all contexts, i.e. in responses to 
both
+                * first-party and cross-site requests. If SameSite=None is set,
+                * the cookie Secure attribute must also be set (or the cookie 
will be blocked).
+                */
+               None,
+
+               /**
+                * Cookies will only be sent in a first-party context and not 
be sent
+                * along with requests initiated by third party websites.
+                */
+               Strict,
+
+               /**
+                * Cookies are not sent on normal cross-site subrequests (for 
example to load
+                * images or frames into a third party site), but are sent when 
a user is
+                * navigating to the origin site (i.e., when following a link).
+                */
+               Lax
+       }
+
        /** Max age that the component will be persisted in seconds. */
        private int maxAge = 3600 * 24 * 30; // 30 days
 
@@ -45,6 +68,8 @@ public class CookieDefaults implements IClusterable
 
        private boolean httpOnly;
 
+       private SameSite sameSite = SameSite.Lax;
+
        /**
         * Gets the max age. After
         * 
@@ -140,6 +165,10 @@ public class CookieDefaults implements IClusterable
         * @return 0 if the cookie complies with the original Netscape 
specification; 1 if the cookie
         *         complies with RFC 2109
         */
+       @Deprecated(
+               since = "Servlet 6.0 / Wicket 10",
+               forRemoval = true
+       )
        public int getVersion()
        {
                return version;
@@ -155,6 +184,10 @@ public class CookieDefaults implements IClusterable
         *            0 if the cookie should comply with the original Netscape 
specification; 1 if the
         *            cookie should comply with RFC 2109
         */
+       @Deprecated(
+               since = "Servlet 6.0 / Wicket 10",
+               forRemoval = true
+       )
        public void setVersion(int version)
        {
                this.version = version;
@@ -183,4 +216,24 @@ public class CookieDefaults implements IClusterable
        {
                this.httpOnly = httpOnly;
        }
+
+       /**
+        * Sets the SameSite attribute of the cookie.
+        *
+        * @param sameSite the SameSite attribute of the cookie
+        */
+       public void setSameSite(SameSite sameSite)
+       {
+               this.sameSite = sameSite;
+       }
+
+       /**
+        * Gets the SameSite attribute of the cookie.
+        *
+        * @return the SameSite attribute of the cookie
+        */
+       public SameSite getSameSite()
+       {
+               return sameSite != null ? sameSite : SameSite.Lax;
+       }
 }
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java 
b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
index 496e28b1e5..4c0c03d779 100644
--- a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
+++ b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
@@ -328,11 +328,17 @@ public class CookieUtils
                String path = request.getContainerRequest().getContextPath() + 
"/" +
                        request.getFilterPrefix();
 
+               if (settings.getSameSite() == CookieDefaults.SameSite.None)
+               {
+                       settings.setSecure(true);
+               }
+
                cookie.setPath(path);
                cookie.setVersion(settings.getVersion());
                cookie.setSecure(settings.getSecure());
                cookie.setMaxAge(settings.getMaxAge());
                cookie.setHttpOnly(settings.isHttpOnly());
+               cookie.setAttribute("SameSite", settings.getSameSite().name());
        }
 
        /**

Reply via email to