[
https://issues.apache.org/jira/browse/NIFI-10899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-10899:
------------------------------------
Status: Patch Available (was: In Progress)
> Apply SameSite Attribute to Cookies
> -----------------------------------
>
> Key: NIFI-10899
> URL: https://issues.apache.org/jira/browse/NIFI-10899
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, Security
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The standard {{Authorization-Bearer}} cookie includes the
> [SameSite|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
> attribute in the {{Set-Cookie}} response header, but other cookies for CSRF
> mitigation, logout processing, and external authentication service
> integration do not apply the attribute when setting cookies.
> The Java Servlet
> [Cookie|https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html]
> does not support the {{SameSite}} attribute, but the NiFi
> {{StandardApplicationCookieService}} uses the Spring Response Cookie Builder,
> which supports the attribute and is capable of applying it to {{Set-Cookie}}
> headers. Direct use of the Java Servlet {{Cookie}} should be replaced with
> the implementation approach that supports setting the {{SameSite}} attribute
> to avoid warnings in modern browsers. In absence of the {{SameSite}}
> attribute, browsers default to {{{}Lax{}}}, but this can be changed to
> {{Strict}} in most cases.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
