-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lazar,
On 2/14/20 05:36, Lazar Kirchev wrote: > Chris, > > Just FYI or in case someone else hits this problem. > > Actually I had to use the response wrapper approach for Tomcat > 8.5.50 as well. As described by Chrome in > https://www.chromium.org/updates/same-site/incompatible-clients, > there are older browser versions which do not support the SameSite > attribute at all and reject the cookies which contain it. Although > Tomcat 8.5.42 and later provide the CookieProcessor configuration > for the SameSite attribute, it is a problem if one wants to > support older browser versions as well. Wow, what a huge pain in the neck. I don't see anything in RFC 6265 that says anything about rejecting cookies with unknown attributes, but I also don't see anything prohibiting that behavior, either. Than again, RFC 6265 doesn't mention the SameSite attribute at all, so ... there is that. This is what you get when vendors try to implement standards before they are standards. > Adding the SameSite attribute in order to support newest Chrome > breaks the old ones as the configuration via the CookieProcessor > does not allow for user agent sniffing. Even if you extend the > existing CookieProcessor implementations or create your own, you > cannot get the request headers in it so that you can check for the > browser version. If one needs such flexibility, only the response > wrapper helps. Do you think that it makes sense to provide a > mechanism in the CookieProcessor to get access to the request > headers in order to check the user agent? Are you referring to CookieProcessor.generateCookie(Cookie)? So the proposal would be to change that to CookieProcessor.generateCookie(String userAgent, Cookie)? Or maybe even CookieProcessor.generateCookie(Map<> rquestHeaders, Cookie)? It seems super hacky to do it that way, but I'm not sure I see another option for introducing SameSite in a compatible way. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5G7hcACgkQHPApP6U8 pFhBGg//fPcTiL5fYRfVKB7IbRe/T43UNIVzWYugujVQnJTP+owJnQvSXXPhvQgB jJNNvuIyiqw03Z4EpychSaq9r0f1YHsp7cVkScu+vRPXR5B70Ny4vzSf0sNrFXSz K2pDBIE7FlxhmBjdXaIAZbcmZKPQKbcpUWes898Ichh4XlBl5Ij2ZGYf86jENsoB dFSc+pyMHjDrGilUcCDi6VNthJauB0JegTpm7Iwh1zJ64u9LgAcxHmfVkpz1RVUD bL+c/WmEPBET1ebYy3tBmJXXbdqmDzJbMubYJYe5uDi1cseUmhiUhhk0I5M/DSeo CCLelrHCcD8JJ049aLNOFXLNgiUquoe+zFlqlecNxI+6LzOEPUeYHCiAg6XqKggx uCxcjEq6RTP8xHfRsVgk1r9X0pS/Zjhp9EPAN9LUc+QoC0MW8+ZwgsnSrIXVOfPa Ln+NV+3Ve3F3vBi+apdoCq2U5I1K2Q0YYGiZyHknIWfqXtM1jycylcn2F0YZ/VMn l1E6tkOb2owdnf6QJkcWibFFiEpWZqj9PsOipj/IQBaBAYOW4wMK6q2USU6reNGK IjQ3aWJjPOaHSfqCPlxeAUW8lIsHkgtjJmX4zzXEOOpgIulMWzpDX8Ia1ItXLqVH HPdI0j9I+Dl9tjRhLyy1FL2M7WNPFLhBD9qhJ9Eeli8SCtIAEzc= =tR3G -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
