Re: [EXTERNAL] - Re: Partitioned cookies
Mark, On 12/15/23 04:03, Mark Thomas wrote: On 14/12/2023 21:15, André van der Lugt wrote: From: Chuck Caldarale <mailto:n82...@gmail.com> Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List <mailto:users@tomcat.apache.org> Subject: [EXTERNAL] - Re: Partitioned cookies On Nov 15, 2023, at 08:06, Adam Warfield <mailto:awarf...@opentext.com.INVALID> wrote: The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but starting in 2024, browsers will begin enforcing the newer "Partitioned" attribute for third-party cookies. Is there a way to set this attribute within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any webapps that are embedded within iframes across domains where those cookies will be rejected if not partitioned. Looks like the CHIPS proposal: https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/ expired this past May and no updated version has been submitted to IETF. Is there some other active standards document describing cookie partitioning? - Chuck Standard or not, Google/Chrome is moving on and will (as noted above) soon start to gradually reject third-party cookies without the Partitioned attribute. I'm kindly asking the experts: is Tomcat support for this feature being planned? No. If not, what can be done to modestly prioritize it? Open an enhancement request in Bugzilla. Better still, provide a PR to implement the change. No need, right? Tomcat 10 has Cookie.setAttribute(), as I mentioned back on 2023-11-16 in response to the OP. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [EXTERNAL] - Re: Partitioned cookies
On 14/12/2023 21:15, André van der Lugt wrote: From: Chuck Caldarale <mailto:n82...@gmail.com> Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List <mailto:users@tomcat.apache.org> Subject: [EXTERNAL] - Re: Partitioned cookies On Nov 15, 2023, at 08:06, Adam Warfield <mailto:awarf...@opentext.com.INVALID> wrote: The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but starting in 2024, browsers will begin enforcing the newer "Partitioned" attribute for third-party cookies. Is there a way to set this attribute within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any webapps that are embedded within iframes across domains where those cookies will be rejected if not partitioned. Looks like the CHIPS proposal: https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/ expired this past May and no updated version has been submitted to IETF. Is there some other active standards document describing cookie partitioning? - Chuck Standard or not, Google/Chrome is moving on and will (as noted above) soon start to gradually reject third-party cookies without the Partitioned attribute. I'm kindly asking the experts: is Tomcat support for this feature being planned? No. If not, what can be done to modestly prioritize it? Open an enhancement request in Bugzilla. Better still, provide a PR to implement the change. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [EXTERNAL] - Re: Partitioned cookies
> -Original Message- > From: Adam Warfield > Sent: woensdag 15 november 2023 16:49 > To: Tomcat Users List > Subject: Re: [EXTERNAL] - Re: Partitioned cookies > > That's strange. I was not aware the proposal had expired. I've been working > off of a few pages as it seemed Chrome/Edge were moving forward with > Firefox at least showing positive support without committing. > > https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/ > (October 2023) > > https://github.com/mozilla/standards-positions/issues/678 (Firefox showing > positive support, last updated 2022) > > https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies > > https://github.com/privacycg/CHIPS > > > Adam > > > From: Chuck Caldarale <mailto:n82...@gmail.com> > Sent: Wednesday, November 15, 2023 9:48 AM > To: Tomcat Users List <mailto:users@tomcat.apache.org> > Subject: [EXTERNAL] - Re: Partitioned cookies > > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. If you feel that the email is suspicious, please report it > using > PhishAlarm. > > >> On Nov 15, 2023, at 08:06, Adam Warfield >> <mailto:awarf...@opentext.com.INVALID> wrote: >> >> The Rfc6265CookieProcessor supports setting the SameSite cookie attribute >> but starting in 2024, browsers will begin enforcing the newer "Partitioned" >> attribute for third-party cookies. Is there a way to set this attribute >> within >> Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects >> any webapps that are embedded within iframes across domains where those >> cookies will be rejected if not partitioned. > > > Looks like the CHIPS proposal: > > https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/ > > > expired this past May and no updated version has been submitted to IETF. Is > there some other active standards document describing cookie partitioning? > > - Chuck Standard or not, Google/Chrome is moving on and will (as noted above) soon start to gradually reject third-party cookies without the Partitioned attribute. I'm kindly asking the experts: is Tomcat support for this feature being planned? If not, what can be done to modestly prioritize it? André - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [EXTERNAL] - Re: Partitioned cookies
That's strange. I was not aware the proposal had expired. I've been working off of a few pages as it seemed Chrome/Edge were moving forward with Firefox at least showing positive support without committing. https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/ (October 2023) https://github.com/mozilla/standards-positions/issues/678 (Firefox showing positive support, last updated 2022) https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies https://github.com/privacycg/CHIPS Adam From: Chuck Caldarale Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List Subject: [EXTERNAL] - Re: Partitioned cookies CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you feel that the email is suspicious, please report it using PhishAlarm. On Nov 15, 2023, at 08:06, Adam Warfield wrote: The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but starting in 2024, browsers will begin enforcing the newer "Partitioned" attribute for third-party cookies. Is there a way to set this attribute within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any webapps that are embedded within iframes across domains where those cookies will be rejected if not partitioned. Looks like the CHIPS proposal: Cookies Having Independent Partitioned State specification<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$> datatracker.ietf.org<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$> [ietf-logo-nor-180.png]<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$> expired this past May and no updated version has been submitted to IETF. Is there some other active standards document describing cookie partitioning? - Chuck