[
https://issues.apache.org/jira/browse/DELTASPIKE-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707192#comment-17707192
]
ASF subversion and git services commented on DELTASPIKE-1435:
-------------------------------------------------------------
Commit ee75c070dbb5e178978d0674cf949ea7de9ad000 in deltaspike's branch
refs/heads/master from Juri Berlanda
[ https://gitbox.apache.org/repos/asf?p=deltaspike.git;h=ee75c070d ]
DELTASPIKE-1435 Add SameSite=Strict to windowhandler.js
Firefox complains about the missing flag, and announces, that the Cookie
"will be soon rejected". Enforcing SameSite=Strict in JavaScript (as
already done on server side makes Firefox happy, and hence the warning go
away.
Signed-off-by: Juri Berlanda <[email protected]>
> dsrwid cookie should not be set to sameSite="None" - again
> ----------------------------------------------------------
>
> Key: DELTASPIKE-1435
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1435
> Project: DeltaSpike
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 1.9.5
> Reporter: Juri Berlanda
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Very similar to DELTASPIKE-1413, this refers to the missing {{SameSite}}
> attribute in {{windowhandler.js}}
> (https://github.com/apache/deltaspike/blob/deltaspike-1.9.5/deltaspike/modules/jsf/impl/src/main/resources/META-INF/resources/deltaspike/windowhandler.js#L619)
> This means, that the following warning still appears in Firefox (tested on
> 90.0.2):
> {quote}Cookie “dsrwid-326” will be soon rejected because it has the
> “SameSite” attribute set to “None” or an invalid value, without the “secure”
> attribute. To know more about the “SameSite“ attribute, read
> https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
> windowhandler.js.xhtml:17:364{quote}
> Now, I'd propose to set the cookie to {{SameSite=Strict}} here, too. PR is in
> the works.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
