On Sat, Aug 17, 2019 at 9:23 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Thad, > > On 8/17/19 17:06, Thad Humphries wrote: > > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 > > (4.12.0). I've encountered a problem with Chrome Canary Version > > 78.0.3886.0 which installed today, August 17th, 2019. > > > > When beginning the session with my server, Chrome will not honor > > the JSESSIONID cookie. In the Chrome console is the warning: > > > > > > "[Deprecation] A cookie associated with a cross-site resource at > > http://localhost/ was set without the `SameSite` attribute. A > > future release of Chrome will only deliver cookies with cross-site > > requests if they are set with `SameSite=None`. You can review > > cookies in developer tools under Application>Storage>Cookies and > > see more details at > > https://www.chromestatus.com/feature/5088147346030592."; > > > > > > Chrome 76 (the stable release) works fine, and Canary works if I > > disable the "SameSite by default cookies" > > (chrome://flags/#same-site-by-default-cookies). However the link in > > the deprecation warning notes that this feature will be enabled by > > default in Chrome 80. > > > > I've read the CookieProcessor docs ( > > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) > > > > > which leads me to believe that sameSiteCookies is set to none by default > . > > However I don't see that in Chrome's DevTools, nor in the > > JSESSIONID I receive when testing my server app with Insomnia > > v6.6.2. I have tried setting the CookieProcessor explicitly by > > adding > > > > <CookieProcessor sameSiteCookies="none"></CookieProcessor> > > > > > > to conf/context.xml but to no effect. > > The default is "none". When it's set to "none" (or not set it all, > because it's the default, then you get "none". > > > BTW, I'm using https://github.com/eBay/cors-filter for my CORS > > filters. I don't think my apps will be run in something other than > > Tomcat's, but can't say that for certain (certainly my boss and > > customer support manager want me to stay as generic as possible). > > > > Am I missing something? How can I fix this issue? > > When the value is "none", then no SameSite attribute is sent. At all. > It doesn't send "SameSite=none" to the browser. It sends nothing. > Chrome is complaining about the SameSite attribute not being sent. If > you want Chrome to stop complaining, then set the sameSite attribute > to something *other than* "none". > > - -chris > Ah! Thank you. Setting sameSiteCookies="lax" works with the default or with explicitly enabling it. I thought I'd tried this before, but maybe that was before I installed Tomcat 8.5.43. Or maybe I was editing the wrong context.xml among the different Tomcat's on my server. Whatever, it's working now. Thanks again. -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)
