Re: Chome Canary and SameSite cookie setting
On Sat, Aug 17, 2019 at 9:23 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Thad, > > On 8/17/19 17:06, Thad Humphries wrote: > > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 > > (4.12.0). I've encountered a problem with Chrome Canary Version > > 78.0.3886.0 which installed today, August 17th, 2019. > > > > When beginning the session with my server, Chrome will not honor > > the JSESSIONID cookie. In the Chrome console is the warning: > > > > > > "[Deprecation] A cookie associated with a cross-site resource at > > http://localhost/ was set without the `SameSite` attribute. A > > future release of Chrome will only deliver cookies with cross-site > > requests if they are set with `SameSite=None`. You can review > > cookies in developer tools under Application>Storage>Cookies and > > see more details at > > https://www.chromestatus.com/feature/5088147346030592."; > > > > > > Chrome 76 (the stable release) works fine, and Canary works if I > > disable the "SameSite by default cookies" > > (chrome://flags/#same-site-by-default-cookies). However the link in > > the deprecation warning notes that this feature will be enabled by > > default in Chrome 80. > > > > I've read the CookieProcessor docs ( > > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) > > > > > which leads me to believe that sameSiteCookies is set to none by default > . > > However I don't see that in Chrome's DevTools, nor in the > > JSESSIONID I receive when testing my server app with Insomnia > > v6.6.2. I have tried setting the CookieProcessor explicitly by > > adding > > > > > > > > > > to conf/context.xml but to no effect. > > The default is "none". When it's set to "none" (or not set it all, > because it's the default, then you get "none". > > > BTW, I'm using https://github.com/eBay/cors-filter for my CORS > > filters. I don't think my apps will be run in something other than > > Tomcat's, but can't say that for certain (certainly my boss and > > customer support manager want me to stay as generic as possible). > > > > Am I missing something? How can I fix this issue? > > When the value is "none", then no SameSite attribute is sent. At all. > It doesn't send "SameSite=none" to the browser. It sends nothing. > Chrome is complaining about the SameSite attribute not being sent. If > you want Chrome to stop complaining, then set the sameSite attribute > to something *other than* "none". > > - -chris > Ah! Thank you. Setting sameSiteCookies="lax" works with the default or with explicitly enabling it. I thought I'd tried this before, but maybe that was before I installed Tomcat 8.5.43. Or maybe I was editing the wrong context.xml among the different Tomcat's on my server. Whatever, it's working now. Thanks again. -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)
Re: Chome Canary and SameSite cookie setting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thad, On 8/17/19 17:06, Thad Humphries wrote: > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 > (4.12.0). I've encountered a problem with Chrome Canary Version > 78.0.3886.0 which installed today, August 17th, 2019. > > When beginning the session with my server, Chrome will not honor > the JSESSIONID cookie. In the Chrome console is the warning: > > > "[Deprecation] A cookie associated with a cross-site resource at > http://localhost/ was set without the `SameSite` attribute. A > future release of Chrome will only deliver cookies with cross-site > requests if they are set with `SameSite=None`. You can review > cookies in developer tools under Application>Storage>Cookies and > see more details at > https://www.chromestatus.com/feature/5088147346030592."; > > > Chrome 76 (the stable release) works fine, and Canary works if I > disable the "SameSite by default cookies" > (chrome://flags/#same-site-by-default-cookies). However the link in > the deprecation warning notes that this feature will be enabled by > default in Chrome 80. > > I've read the CookieProcessor docs ( > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) > > which leads me to believe that sameSiteCookies is set to none by default . > However I don't see that in Chrome's DevTools, nor in the > JSESSIONID I receive when testing my server app with Insomnia > v6.6.2. I have tried setting the CookieProcessor explicitly by > adding > > > > > to conf/context.xml but to no effect. The default is "none". When it's set to "none" (or not set it all, because it's the default, then you get "none". > BTW, I'm using https://github.com/eBay/cors-filter for my CORS > filters. I don't think my apps will be run in something other than > Tomcat's, but can't say that for certain (certainly my boss and > customer support manager want me to stay as generic as possible). > > Am I missing something? How can I fix this issue? When the value is "none", then no SameSite attribute is sent. At all. It doesn't send "SameSite=none" to the browser. It sends nothing. Chrome is complaining about the SameSite attribute not being sent. If you want Chrome to stop complaining, then set the sameSite attribute to something *other than* "none". - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1YqKUACgkQHPApP6U8 pFjwPw/+LSsJOiXJx264b1bjDndiBaHY1t3IJTFIHPBSKJI5qTuIGQdEDrzeUZlE /Bb4uQK/D88jW6kfJp48r6bAesBpV9ZqTUBUdzSOjT7xu/5/ZvHMgWAzC5ORgVAR 7dvW365FuvxjW7Zloolz7ucNlGR/jZoIBiPLWo8wHznPJDhMy4GceJMaFttsJxLq 58QIuGK16OE+eGd5r+662irPx2GgUo0M/ffU0WE7kMLCYx4/sad0cNim9ZGB2Lup ZNOvs4zQ4ZE7GIkJM7DE6cyFWxvBChk0eWUy3fSWj23GjWO3miEjOKPx71D+/K9y zC+d+lSlOU8dtf/42LENn6FbjJn/9xYJqh9hqOU45mFS3NmtZjH8ygdIvIiYnBcM Ey3cRMdWBArfTkW+J3mtD7AX2Eu/KCU+IYHfTF4+LkI0E+2ZelH5/leh9WymP8oE J7wZVtKahtluTRpQR+cNfJO2iFPo3O9SgKLm/XDPbPsaxq49mVEPzC/9GGcw1OFX bfy61ougsxpzP7t+OZK3nZ979bSVbvm8FjwbWud5rKEW6kWgnZjWD6N2ZNu6MZZh re1gJ2ZaEjl5cU1W4J6c66wM3upXeo/cMgh7d6XwBTsiAeE69HPaPd5y+QLeBHcv krCDyM8991XeiGgvL3rtXgdzoJ0uZPAoYfIgTFRX98+Gthhr8KI= =YE+P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org