On 07/06/18 08:20, Mathuriga Thavarajah wrote: > Hi Tomcat Team, > > I have done a basic research on $Subject. The SameSite [1] [2] is a cookie > attribute which is like HttpOnly and Secureflag. The SameSite cookie > attribute instructs a browser not to send the cookie with cross-origin > third-party requests and only send the cookie when we are using web > application directly. The main use case of this attribute is mitigating the > CSRF attacks. > > AFAIK, Tomcat is not supporting for SameSite attribute for cookies yet. > Could you please clarify whether you have plans to support this in an > upcoming release?. IMHO,If it is not in your roadmap It would be better to > include in tomcat also.
There are currently no plans to implement this. Note that the spec you quote is not the latest. The latest is here: https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-02.txt Interestingly, the draft has expired. It looks like work has stopped. I'd be interested in finding out why. Particularly as Firefox and Edge have added support fairly recently. Section 5.3.7.1 in the latest spec provides a useful overview of where this is, and is not, useful. Personally, I am +0 on adding this. I'd be more in favour if the spec work had not stopped and/or the protection it offered was more complete. I suggest that the best way forward would be to open an enhancement request. Enhancement requests that include patches tend to be looked at sooner. The httpOnly support could be used as a basis for what needs to be added where. The main difference is that the value will need to be an enum (none, lax, strict) or similar rather than a boolean. Mark > > [1] https://tools.ietf.org/html/draft-west-first-party- > cookies-07#section-5.2 > [2] https://www.owasp.org/index.php/SameSite > > Looking forward your prompt reply. > > Thanks. > > Regards, > Mathuriga. > > *T. Mathuriga* > Undergraduate, > Department of Computer Science and Engineering, > University of Moratuwa, > Sri Lanka. > > Email: tmathuriga...@cse.mrt.ac.lk > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
