Hi Tomcat Team, I have done a basic research on $Subject. The SameSite [1] [2] is a cookie attribute which is like HttpOnly and Secureflag. The SameSite cookie attribute instructs a browser not to send the cookie with cross-origin third-party requests and only send the cookie when we are using web application directly. The main use case of this attribute is mitigating the CSRF attacks.
AFAIK, Tomcat is not supporting for SameSite attribute for cookies yet. Could you please clarify whether you have plans to support this in an upcoming release?. IMHO,If it is not in your roadmap It would be better to include in tomcat also. [1] https://tools.ietf.org/html/draft-west-first-party- cookies-07#section-5.2 [2] https://www.owasp.org/index.php/SameSite Looking forward your prompt reply. Thanks. Regards, Mathuriga. *T. Mathuriga* Undergraduate, Department of Computer Science and Engineering, University of Moratuwa, Sri Lanka. Email: tmathuriga...@cse.mrt.ac.lk
