[ofbiz-framework] branch release17.12 updated: Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 1617226  Fixed: Ensure that the SameSite attribute is set to 'strict' 
for all cookies.
1617226 is described below

commit 16172268977aae2c43f8535d1421fb735d1ccb6d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Mar 21 11:55:53 2020 +0100

    Fixed: Ensure that the SameSite attribute is set to 'strict' for all 
cookies.
    
    (OFBIZ-11470)
    
    It's better to allow users to change from strict to lax, at least for all
    cookies. Some could want to change it by cookie type. I let the exercise for
    them :)
    
See:https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60
    
    Conflicts handled by hand
        framework/security/config/security.properties
---
 framework/security/config/security.properties                     | 4 ++++
 .../main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index fd70f07..5b809ff 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -134,3 +134,7 @@ security.login.externalLoginKey.enabled=true
 
 # -- Security key used to encrypt and decrypt the autogenerated password in 
forgot password functionality.
 login.secret_key_string=Secret Key
+
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to 
change it ot lax if needed  
+SameSiteCookieAttribute=
+
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
index bc96fec..e064332 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
@@ -28,8 +28,12 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.core.HttpHeaders;
 
+import org.apache.ofbiz.base.util.UtilProperties;
+
 
 public class SameSiteFilter implements javax.servlet.Filter {
+    
+    private static final String SameSiteCookieAttribute = 
UtilProperties.getPropertyValue("security.properties", 
"SameSiteCookieAttribute", "strict");
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -46,11 +50,11 @@ public class SameSiteFilter implements javax.servlet.Filter 
{
         boolean firstHeader = true;
         for (String header : headers) { // there can be multiple Set-Cookie 
attributes
             if (firstHeader) {
-                response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; 
%s", header, "SameSite=Strict"));
+                response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; 
%s", header, "SameSite=" + SameSiteCookieAttribute));
                 firstHeader = false;
                 continue;
             }
-            response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", 
header, "SameSite=Strict"));
+            response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", 
header, "SameSite=" + SameSiteCookieAttribute));
         }
     }