ChristopherSchultz commented on issue #162: Add support for same-site cookie
attribute
URL: https://github.com/apache/tomcat/pull/162#issuecomment-491889201
Thank you for the proposed patch.
Understanding that changing the definition of a class in the `javax.servlet`
namespace (namely, `Cookie`) has some challenges, it seems to me that this is
the wrong approach. I think the right approach is to allow individual cookies
to have the "samesite" setting set individually.
Changing `Cookie` would allow fewer changes to the core API and the
`SameSiteCookies` class (which should be an `enum` IMO) would not need to exist.
What are our options when it comes to messing-around with the servlet API
classes?
Would it be better to apply a variant of this patch wait for another servlet
spec release to "fix" the Cookie API? Or would it be better to provide another
(different) container-specific workaround for things in the meantime? As much
as we all hate system properties, this might be a good time to use one, since
(a) it's intended to be temporary (pending a spec revision) and (b) it will
require fewer changes to the internal Tomcat API which will just have to be
un-done when the spec revision is published.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
