[
https://issues.apache.org/jira/browse/JSPWIKI-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18036600#comment-18036600
]
Alex O'Ree commented on JSPWIKI-1129:
-------------------------------------
we should be able to make it optional. Server side could probably be a new
property, client side: if window.location starts with https, set the secure
only flags.
docker configuration will probably need some updates too, however using the
configuration as is will definitely fail a security audit regardless. End users
will probably mount in their own tomcat server.xml, keystores, truststore,
jspwiki properties file, web.xml etc regardless. making the cookie settings
optional will mitigate the need to update the docker configuration now and we
can save any further security changes for another Jira issue
> JSPUserWikiPrefs cookie is missing sameSite and/or secure attribute
> --------------------------------------------------------------------
>
> Key: JSPWIKI-1129
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1129
> Project: JSPWiki
> Issue Type: Improvement
> Components: Templates and UI
> Affects Versions: 2.11.0-M6
> Environment: This can be reproduced on https://jspwiki-wiki.apache.org
> Reporter: Ulf Dittmer
> Assignee: Alex O'Ree
> Priority: Minor
> Labels: pull-request-available
>
> Firefox shows this message in the console: Cookie “JSPWikiUserPrefs” will be
> soon rejected because it has the “sameSite” attribute set to “none” or an
> invalid value, without the “secure” attribute. To know more about the
> “sameSite“ attribute, read
> [https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
