[ https://issues.apache.org/jira/browse/DELTASPIKE-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295616#comment-17295616 ]
ASF subversion and git services commented on DELTASPIKE-1413: ------------------------------------------------------------- Commit 9d0e3d1af0cb7e62c810ec23f97e12e86ab3cf6f in deltaspike's branch refs/heads/master from Mark Struberg [ https://gitbox.apache.org/repos/asf?p=deltaspike.git;h=9d0e3d1 ] DELTASPIKE-1413 add SameSite=Strict to dsrwid cookie Sadly had to manually add the SetCookie header as Javas Cookie class does not have a SameSite attribute. > dsrwid cookie should not be set to sameSite="None" > -------------------------------------------------- > > Key: DELTASPIKE-1413 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1413 > Project: DeltaSpike > Issue Type: Bug > Security Level: public(Regular issues) > Reporter: Matthias Walliczek > Assignee: Mark Struberg > Priority: Critical > > Currently the dsrwid cookie set by the lazy window handler is set to > secure=false and sameSite=None. > This combination will not be allowed by Firefox in the future. See > [https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite.|https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite] > Instead sameSite should be set to "lax", which is default in modern browsers. -- This message was sent by Atlassian Jira (v8.3.4#803005)