This is an automated email from the ASF dual-hosted git repository.
mgrigorov pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push:
new f0b4b1b3b6 WICKET-7038: Add support for SameSite setting to
CookieDefaults
f0b4b1b3b6 is described below
commit f0b4b1b3b63f33e12c8b2b04e22fcf73b773ec34
Author: Martin Tzvetanov Grigorov <[email protected]>
AuthorDate: Tue Apr 4 09:46:47 2023 +0300
WICKET-7038: Add support for SameSite setting to CookieDefaults
Signed-off-by: Martin Tzvetanov Grigorov <[email protected]>
---
.../apache/wicket/util/cookies/CookieDefaults.java | 53 ++++++++++++++++++++++
.../apache/wicket/util/cookies/CookieUtils.java | 6 +++
2 files changed, 59 insertions(+)
diff --git
a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
index 7693fa88d4..399ae53167 100644
---
a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
+++
b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieDefaults.java
@@ -28,6 +28,29 @@ public class CookieDefaults implements IClusterable
{
private static final long serialVersionUID = 1L;
+ public enum SameSite
+ {
+ /**
+ * Cookies will be sent in all contexts, i.e. in responses to
both
+ * first-party and cross-site requests. If SameSite=None is set,
+ * the cookie Secure attribute must also be set (or the cookie
will be blocked).
+ */
+ None,
+
+ /**
+ * Cookies will only be sent in a first-party context and not
be sent
+ * along with requests initiated by third party websites.
+ */
+ Strict,
+
+ /**
+ * Cookies are not sent on normal cross-site subrequests (for
example to load
+ * images or frames into a third party site), but are sent when
a user is
+ * navigating to the origin site (i.e., when following a link).
+ */
+ Lax
+ }
+
/** Max age that the component will be persisted in seconds. */
private int maxAge = 3600 * 24 * 30; // 30 days
@@ -45,6 +68,8 @@ public class CookieDefaults implements IClusterable
private boolean httpOnly;
+ private SameSite sameSite = SameSite.Lax;
+
/**
* Gets the max age. After
*
@@ -140,6 +165,10 @@ public class CookieDefaults implements IClusterable
* @return 0 if the cookie complies with the original Netscape
specification; 1 if the cookie
* complies with RFC 2109
*/
+ @Deprecated(
+ since = "Servlet 6.0 / Wicket 10",
+ forRemoval = true
+ )
public int getVersion()
{
return version;
@@ -155,6 +184,10 @@ public class CookieDefaults implements IClusterable
* 0 if the cookie should comply with the original Netscape
specification; 1 if the
* cookie should comply with RFC 2109
*/
+ @Deprecated(
+ since = "Servlet 6.0 / Wicket 10",
+ forRemoval = true
+ )
public void setVersion(int version)
{
this.version = version;
@@ -183,4 +216,24 @@ public class CookieDefaults implements IClusterable
{
this.httpOnly = httpOnly;
}
+
+ /**
+ * Sets the SameSite attribute of the cookie.
+ *
+ * @param sameSite the SameSite attribute of the cookie
+ */
+ public void setSameSite(SameSite sameSite)
+ {
+ this.sameSite = sameSite;
+ }
+
+ /**
+ * Gets the SameSite attribute of the cookie.
+ *
+ * @return the SameSite attribute of the cookie
+ */
+ public SameSite getSameSite()
+ {
+ return sameSite != null ? sameSite : SameSite.Lax;
+ }
}
diff --git
a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
index 496e28b1e5..4c0c03d779 100644
--- a/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
+++ b/wicket-core/src/main/java/org/apache/wicket/util/cookies/CookieUtils.java
@@ -328,11 +328,17 @@ public class CookieUtils
String path = request.getContainerRequest().getContextPath() +
"/" +
request.getFilterPrefix();
+ if (settings.getSameSite() == CookieDefaults.SameSite.None)
+ {
+ settings.setSecure(true);
+ }
+
cookie.setPath(path);
cookie.setVersion(settings.getVersion());
cookie.setSecure(settings.getSecure());
cookie.setMaxAge(settings.getMaxAge());
cookie.setHttpOnly(settings.isHttpOnly());
+ cookie.setAttribute("SameSite", settings.getSameSite().name());
}
/**