[ https://issues.apache.org/jira/browse/WICKET-7037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707808#comment-17707808 ]
ASF GitHub Bot commented on WICKET-7037: ---------------------------------------- reiern70 commented on code in PR #566: URL: https://github.com/apache/wicket/pull/566#discussion_r1155624709 ########## wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/wicket-ajaxdownload.js: ########## @@ -28,7 +28,7 @@ Wicket.AjaxDownload = { initiate : function(settings) { document.cookie = settings.name + - '=;path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:01 GMT'; + '=;path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:01 GMT; SameSite=None; Secure'; Review Comment: > I'm not sure regarding this change > > One of use-cases of our application is "Run inside `iframe`" This mode requires modification of `webapps/_ctx_/META-INF/context.xml` And setting > > `<CookieProcessor sameSiteCookies="None" />` (Lax by default) > > So _maybe_ Servlet container can handle this? I don't think so becase this is used by server side cookie processor like in code bellow ![image](https://user-images.githubusercontent.com/462655/229450273-ea8247c1-be69-4c68-ac10-325f6b085d6e.png) to add the SameSite thing to server side generated cookies. Maybe the we should make this configurable by passing some paramter to the JavaScrip layer? > [Ajax Download] cookie used to track download complete misses the SameSite > attribute > ------------------------------------------------------------------------------------ > > Key: WICKET-7037 > URL: https://issues.apache.org/jira/browse/WICKET-7037 > Project: Wicket > Issue Type: Bug > Reporter: Ernesto Reinaldo Barreiro > Assignee: Ernesto Reinaldo Barreiro > Priority: Major > Attachments: image-2023-04-02-11-58-25-399.png > > > Firefox produces the following warining when using AjaxDonwload > Cookie “wicket-ajaxdownload-id63-0” does not have a proper “SameSite” > attribute value. Soon, cookies without the “SameSite” attribute or with an > invalid value will be treated as “Lax”. This means that the cookie will no > longer be sent in third-party contexts. If your application depends on this > cookie being available in such contexts, please add the “SameSite=None“ > attribute to it. To know more about the “SameSite“ attribute, read > [https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite] > > from > > !image-2023-04-02-11-58-25-399.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)