Re: Chome Canary and SameSite cookie setting

2019-08-18 Thread Thad Humphries
On Sat, Aug 17, 2019 at 9:23 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Thad,
>
> On 8/17/19 17:06, Thad Humphries wrote:
> > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06
> > (4.12.0). I've encountered a problem with Chrome Canary Version
> > 78.0.3886.0 which installed today, August 17th, 2019.
> >
> > When beginning the session with my server, Chrome will not honor
> > the JSESSIONID cookie. In the Chrome console is the warning:
> >
> >
> > "[Deprecation] A cookie associated with a cross-site resource at
> > http://localhost/ was set without the `SameSite` attribute. A
> > future release of Chrome will only deliver cookies with cross-site
> > requests if they are set with `SameSite=None`. You can review
> > cookies in developer tools under Application>Storage>Cookies and
> > see more details at
> > https://www.chromestatus.com/feature/5088147346030592.;
> >
> >
> > Chrome 76 (the stable release) works fine, and Canary works if I
> > disable the "SameSite by default cookies"
> > (chrome://flags/#same-site-by-default-cookies). However the link in
> > the deprecation warning notes that this feature will be enabled by
> > default in Chrome 80.
> >
> > I've read the CookieProcessor docs (
> > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html)
> >
> >
> which leads me to believe that sameSiteCookies is set to none by default
> .
> > However I don't see that in Chrome's DevTools, nor in the
> > JSESSIONID I receive when testing my server app with Insomnia
> > v6.6.2. I have tried setting the CookieProcessor explicitly by
> > adding
> >
> > 
> >
> >
> > to conf/context.xml but to no effect.
>
> The default is "none". When it's set to "none" (or not set it all,
> because it's the default, then you get "none".
>
> > BTW, I'm using https://github.com/eBay/cors-filter for my CORS
> > filters. I don't think my apps will be run in something other than
> > Tomcat's, but can't say that for certain (certainly my boss and
> > customer support manager want me to stay as generic as possible).
> >
> > Am I missing something? How can I fix this issue?
>
> When the value is "none", then no SameSite attribute is sent. At all.
> It doesn't send "SameSite=none" to the browser. It sends nothing.
> Chrome is complaining about the SameSite attribute not being sent. If
> you want Chrome to stop complaining, then set the sameSite attribute
> to something *other than* "none".
>
> - -chris
>

Ah! Thank you. Setting sameSiteCookies="lax" works with the default or with
explicitly enabling it.

I thought I'd tried this before, but maybe that was before I installed
Tomcat 8.5.43. Or maybe I was editing the wrong context.xml among the
different Tomcat's on my server. Whatever, it's working now. Thanks again.

-- 
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 111-13)


Re: Chome Canary and SameSite cookie setting

2019-08-17 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thad,

On 8/17/19 17:06, Thad Humphries wrote:
> I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06
> (4.12.0). I've encountered a problem with Chrome Canary Version
> 78.0.3886.0 which installed today, August 17th, 2019.
> 
> When beginning the session with my server, Chrome will not honor
> the JSESSIONID cookie. In the Chrome console is the warning:
> 
> 
> "[Deprecation] A cookie associated with a cross-site resource at 
> http://localhost/ was set without the `SameSite` attribute. A
> future release of Chrome will only deliver cookies with cross-site
> requests if they are set with `SameSite=None`. You can review
> cookies in developer tools under Application>Storage>Cookies and
> see more details at 
> https://www.chromestatus.com/feature/5088147346030592.;
> 
> 
> Chrome 76 (the stable release) works fine, and Canary works if I
> disable the "SameSite by default cookies" 
> (chrome://flags/#same-site-by-default-cookies). However the link in
> the deprecation warning notes that this feature will be enabled by
> default in Chrome 80.
> 
> I've read the CookieProcessor docs ( 
> https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html)
>
> 
which leads me to believe that sameSiteCookies is set to none by default
.
> However I don't see that in Chrome's DevTools, nor in the
> JSESSIONID I receive when testing my server app with Insomnia
> v6.6.2. I have tried setting the CookieProcessor explicitly by
> adding
> 
> 
> 
> 
> to conf/context.xml but to no effect.

The default is "none". When it's set to "none" (or not set it all,
because it's the default, then you get "none".

> BTW, I'm using https://github.com/eBay/cors-filter for my CORS
> filters. I don't think my apps will be run in something other than
> Tomcat's, but can't say that for certain (certainly my boss and
> customer support manager want me to stay as generic as possible).
> 
> Am I missing something? How can I fix this issue?

When the value is "none", then no SameSite attribute is sent. At all.
It doesn't send "SameSite=none" to the browser. It sends nothing.
Chrome is complaining about the SameSite attribute not being sent. If
you want Chrome to stop complaining, then set the sameSite attribute
to something *other than* "none".

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1YqKUACgkQHPApP6U8
pFjwPw/+LSsJOiXJx264b1bjDndiBaHY1t3IJTFIHPBSKJI5qTuIGQdEDrzeUZlE
/Bb4uQK/D88jW6kfJp48r6bAesBpV9ZqTUBUdzSOjT7xu/5/ZvHMgWAzC5ORgVAR
7dvW365FuvxjW7Zloolz7ucNlGR/jZoIBiPLWo8wHznPJDhMy4GceJMaFttsJxLq
58QIuGK16OE+eGd5r+662irPx2GgUo0M/ffU0WE7kMLCYx4/sad0cNim9ZGB2Lup
ZNOvs4zQ4ZE7GIkJM7DE6cyFWxvBChk0eWUy3fSWj23GjWO3miEjOKPx71D+/K9y
zC+d+lSlOU8dtf/42LENn6FbjJn/9xYJqh9hqOU45mFS3NmtZjH8ygdIvIiYnBcM
Ey3cRMdWBArfTkW+J3mtD7AX2Eu/KCU+IYHfTF4+LkI0E+2ZelH5/leh9WymP8oE
J7wZVtKahtluTRpQR+cNfJO2iFPo3O9SgKLm/XDPbPsaxq49mVEPzC/9GGcw1OFX
bfy61ougsxpzP7t+OZK3nZ979bSVbvm8FjwbWud5rKEW6kWgnZjWD6N2ZNu6MZZh
re1gJ2ZaEjl5cU1W4J6c66wM3upXeo/cMgh7d6XwBTsiAeE69HPaPd5y+QLeBHcv
krCDyM8991XeiGgvL3rtXgdzoJ0uZPAoYfIgTFRX98+Gthhr8KI=
=YE+P
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Chome Canary and SameSite cookie setting

2019-08-17 Thread Thad Humphries
I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 (4.12.0).
I've encountered a problem with Chrome Canary Version 78.0.3886.0 which
installed today, August 17th, 2019.

When beginning the session with my server, Chrome will not honor the
JSESSIONID cookie. In the Chrome console is the warning:


"[Deprecation] A cookie associated with a cross-site resource at
http://localhost/ was set without the `SameSite` attribute. A future
release of Chrome will only deliver cookies with cross-site requests if
they are set with `SameSite=None`. You can review cookies in developer
tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592.;


Chrome 76 (the stable release) works fine, and Canary works if I disable
the "SameSite by default cookies"
(chrome://flags/#same-site-by-default-cookies).
However the link in the deprecation warning notes that this feature will be
enabled by default in Chrome 80.

I've read the CookieProcessor docs (
https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html)
which leads me to believe that sameSiteCookies is set to none by default.
However I don't see that in Chrome's DevTools, nor in the JSESSIONID I
receive when testing my server app with Insomnia v6.6.2. I have tried
setting the CookieProcessor explicitly by adding




to conf/context.xml but to no effect.

BTW, I'm using https://github.com/eBay/cors-filter for my CORS filters. I
don't think my apps will be run in something other than Tomcat's, but can't
say that for certain (certainly my boss and customer support manager want
me to stay as generic as possible).

Am I missing something? How can I fix this issue?

-- 
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 111-13)