lmccay commented on PR #647: URL: https://github.com/apache/knox/pull/647#issuecomment-1276482671
> This introduces breaking change, changing to `strict` from `none`. it would be difficult to figure out what went wrong given the errors are thrown on the UI so debugging this would be challenging. Perhaps changing it to `Lax` would be a compromise? This will actually only break deployments that are relying on an insecure setting. Making this Strict by default is the same as the change that added Secure=true many years ago. In modern deployments, the SSO cookie is only being presented to Knox itself and to therefore to the same domain. This should not break deployments that are configured properly to do this. Now, we could consider this a 2.0 release change and change the default for a new 1.6.x release. 2.0 is a major release and can carry incompatible changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org