Re: Chome Canary and SameSite cookie setting
On Sat, Aug 17, 2019 at 9:23 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Thad, > > On 8/17/19 17:06, Thad Humphries wrote: > > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 > > (4.12.0). I've encountered a problem with Chrome Canary Version > > 78.0.3886.0 which installed today, August 17th, 2019. > > > > When beginning the session with my server, Chrome will not honor > > the JSESSIONID cookie. In the Chrome console is the warning: > > > > > > "[Deprecation] A cookie associated with a cross-site resource at > > http://localhost/ was set without the `SameSite` attribute. A > > future release of Chrome will only deliver cookies with cross-site > > requests if they are set with `SameSite=None`. You can review > > cookies in developer tools under Application>Storage>Cookies and > > see more details at > > https://www.chromestatus.com/feature/5088147346030592.; > > > > > > Chrome 76 (the stable release) works fine, and Canary works if I > > disable the "SameSite by default cookies" > > (chrome://flags/#same-site-by-default-cookies). However the link in > > the deprecation warning notes that this feature will be enabled by > > default in Chrome 80. > > > > I've read the CookieProcessor docs ( > > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) > > > > > which leads me to believe that sameSiteCookies is set to none by default > . > > However I don't see that in Chrome's DevTools, nor in the > > JSESSIONID I receive when testing my server app with Insomnia > > v6.6.2. I have tried setting the CookieProcessor explicitly by > > adding > > > > > > > > > > to conf/context.xml but to no effect. > > The default is "none". When it's set to "none" (or not set it all, > because it's the default, then you get "none". > > > BTW, I'm using https://github.com/eBay/cors-filter for my CORS > > filters. I don't think my apps will be run in something other than > > Tomcat's, but can't say that for certain (certainly my boss and > > customer support manager want me to stay as generic as possible). > > > > Am I missing something? How can I fix this issue? > > When the value is "none", then no SameSite attribute is sent. At all. > It doesn't send "SameSite=none" to the browser. It sends nothing. > Chrome is complaining about the SameSite attribute not being sent. If > you want Chrome to stop complaining, then set the sameSite attribute > to something *other than* "none". > > - -chris > Ah! Thank you. Setting sameSiteCookies="lax" works with the default or with explicitly enabling it. I thought I'd tried this before, but maybe that was before I installed Tomcat 8.5.43. Or maybe I was editing the wrong context.xml among the different Tomcat's on my server. Whatever, it's working now. Thanks again. -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)
Re: Chome Canary and SameSite cookie setting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thad, On 8/17/19 17:06, Thad Humphries wrote: > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 > (4.12.0). I've encountered a problem with Chrome Canary Version > 78.0.3886.0 which installed today, August 17th, 2019. > > When beginning the session with my server, Chrome will not honor > the JSESSIONID cookie. In the Chrome console is the warning: > > > "[Deprecation] A cookie associated with a cross-site resource at > http://localhost/ was set without the `SameSite` attribute. A > future release of Chrome will only deliver cookies with cross-site > requests if they are set with `SameSite=None`. You can review > cookies in developer tools under Application>Storage>Cookies and > see more details at > https://www.chromestatus.com/feature/5088147346030592.; > > > Chrome 76 (the stable release) works fine, and Canary works if I > disable the "SameSite by default cookies" > (chrome://flags/#same-site-by-default-cookies). However the link in > the deprecation warning notes that this feature will be enabled by > default in Chrome 80. > > I've read the CookieProcessor docs ( > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) > > which leads me to believe that sameSiteCookies is set to none by default . > However I don't see that in Chrome's DevTools, nor in the > JSESSIONID I receive when testing my server app with Insomnia > v6.6.2. I have tried setting the CookieProcessor explicitly by > adding > > > > > to conf/context.xml but to no effect. The default is "none". When it's set to "none" (or not set it all, because it's the default, then you get "none". > BTW, I'm using https://github.com/eBay/cors-filter for my CORS > filters. I don't think my apps will be run in something other than > Tomcat's, but can't say that for certain (certainly my boss and > customer support manager want me to stay as generic as possible). > > Am I missing something? How can I fix this issue? When the value is "none", then no SameSite attribute is sent. At all. It doesn't send "SameSite=none" to the browser. It sends nothing. Chrome is complaining about the SameSite attribute not being sent. If you want Chrome to stop complaining, then set the sameSite attribute to something *other than* "none". - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1YqKUACgkQHPApP6U8 pFjwPw/+LSsJOiXJx264b1bjDndiBaHY1t3IJTFIHPBSKJI5qTuIGQdEDrzeUZlE /Bb4uQK/D88jW6kfJp48r6bAesBpV9ZqTUBUdzSOjT7xu/5/ZvHMgWAzC5ORgVAR 7dvW365FuvxjW7Zloolz7ucNlGR/jZoIBiPLWo8wHznPJDhMy4GceJMaFttsJxLq 58QIuGK16OE+eGd5r+662irPx2GgUo0M/ffU0WE7kMLCYx4/sad0cNim9ZGB2Lup ZNOvs4zQ4ZE7GIkJM7DE6cyFWxvBChk0eWUy3fSWj23GjWO3miEjOKPx71D+/K9y zC+d+lSlOU8dtf/42LENn6FbjJn/9xYJqh9hqOU45mFS3NmtZjH8ygdIvIiYnBcM Ey3cRMdWBArfTkW+J3mtD7AX2Eu/KCU+IYHfTF4+LkI0E+2ZelH5/leh9WymP8oE J7wZVtKahtluTRpQR+cNfJO2iFPo3O9SgKLm/XDPbPsaxq49mVEPzC/9GGcw1OFX bfy61ougsxpzP7t+OZK3nZ979bSVbvm8FjwbWud5rKEW6kWgnZjWD6N2ZNu6MZZh re1gJ2ZaEjl5cU1W4J6c66wM3upXeo/cMgh7d6XwBTsiAeE69HPaPd5y+QLeBHcv krCDyM8991XeiGgvL3rtXgdzoJ0uZPAoYfIgTFRX98+Gthhr8KI= =YE+P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Chome Canary and SameSite cookie setting
I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 (4.12.0). I've encountered a problem with Chrome Canary Version 78.0.3886.0 which installed today, August 17th, 2019. When beginning the session with my server, Chrome will not honor the JSESSIONID cookie. In the Chrome console is the warning: "[Deprecation] A cookie associated with a cross-site resource at http://localhost/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592.; Chrome 76 (the stable release) works fine, and Canary works if I disable the "SameSite by default cookies" (chrome://flags/#same-site-by-default-cookies). However the link in the deprecation warning notes that this feature will be enabled by default in Chrome 80. I've read the CookieProcessor docs ( https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) which leads me to believe that sameSiteCookies is set to none by default. However I don't see that in Chrome's DevTools, nor in the JSESSIONID I receive when testing my server app with Insomnia v6.6.2. I have tried setting the CookieProcessor explicitly by adding to conf/context.xml but to no effect. BTW, I'm using https://github.com/eBay/cors-filter for my CORS filters. I don't think my apps will be run in something other than Tomcat's, but can't say that for certain (certainly my boss and customer support manager want me to stay as generic as possible). Am I missing something? How can I fix this issue? -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)