[
https://issues.apache.org/jira/browse/DELTASPIKE-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295616#comment-17295616
]
ASF subversion and git services commented on DELTASPIKE-1413:
-------------------------------------------------------------
Commit 9d0e3d1af0cb7e62c810ec23f97e12e86ab3cf6f in deltaspike's branch
refs/heads/master from Mark Struberg
[ https://gitbox.apache.org/repos/asf?p=deltaspike.git;h=9d0e3d1 ]
DELTASPIKE-1413 add SameSite=Strict to dsrwid cookie
Sadly had to manually add the SetCookie header as Javas Cookie
class does not have a SameSite attribute.
> dsrwid cookie should not be set to sameSite="None"
> --------------------------------------------------
>
> Key: DELTASPIKE-1413
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1413
> Project: DeltaSpike
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Matthias Walliczek
> Assignee: Mark Struberg
> Priority: Critical
>
> Currently the dsrwid cookie set by the lazy window handler is set to
> secure=false and sameSite=None.
> This combination will not be allowed by Firefox in the future. See
> [https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite.|https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
> Instead sameSite should be set to "lax", which is default in modern browsers.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
