[Bug 63865] New: Cookie Attribute SameSite=None is default to unset in Chrome browser

Fri, 18 Oct 2019 10:29:05 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=63865

            Bug ID: 63865
           Summary: Cookie Attribute SameSite=None is default to unset in
                    Chrome browser
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

This PR for Tomcat added support for SameSite Cookie attribute,
https://github.com/apache/tomcat/pull/162/files. One thing I noticed is if I
configure SameSite=None then Tomcat is setting to unset in Broswer,
documentation echo that behviour.

With Chrome 77, I see a warning which is trying to say that SameSite should be
either be Set to None, Lax, Strict.
Chrome Warning:
"A cookie associated with a cross-site resource at http://localhost/ was set
without the `SameSite` attribute. A future release of Chrome will only deliver
cookies with cross-site requests if they are set with `SameSite=None` and
`Secure`. You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032";

I have an application(Which we call it an LTI
tool(https://www.imsglobal.org/activity/learning-tools-interoperability) that
is embeded inside another application so that user have seamless experience and
that's how it need to operate. In my Case SameSite=None is approperaite setting
for application running, current tomcat 8 if set to None it is unseting in the
value in browser. And it looks like future browsers what it to set to either od
those options None, Lax, Strict.

Can you allow in Tomcat to set to None if user choose that option instead of
defaulting to unset?
context.xml
<Context>
   <CookieProcessor sameSiteCookies="None" />
</Context>

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to