David Handermann created NIFI-10899:
---------------------------------------
Summary: Apply SameSite Attribute to Cookies
Key: NIFI-10899
URL: https://issues.apache.org/jira/browse/NIFI-10899
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework, Security
Reporter: David Handermann
Assignee: David Handermann
The standard {{Authorization-Bearer}} cookie includes the
[SameSite|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
attribute in the {{Set-Cookie}} response header, but other cookies for CSRF
mitigation, logout processing, and external authentication service integration
do not apply the attribute when setting cookies.
The Java Servlet
[Cookie|https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html]
does not support the {{SameSite}} attribute, but the NiFi
{{StandardApplicationCookieService}} uses the Spring Response Cookie Builder,
which supports the attribute and is capable of applying it to {{Set-Cookie}}
headers. Direct use of the Java Servlet {{Cookie}} should be replaced with the
implementation approach that supports setting the {{SameSite}} attribute to
avoid warnings in modern browsers. In absence of the {{SameSite}} attribute,
browsers default to {{{}Lax{}}}, but this can be changed to {{Strict}} in most
cases.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
