This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 918e09ec6fa1b08b42638583a4da531b123d84d0 Author: Mark Thomas <ma...@apache.org> AuthorDate: Tue Sep 15 11:40:40 2020 +0100 Add SameSite=strict to Manager and Host Manager cookies --- webapps/docs/changelog.xml | 9 +++++++++ webapps/host-manager/META-INF/context.xml | 2 ++ webapps/manager/META-INF/context.xml | 2 ++ 3 files changed, 13 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index f17503e..f378ad6 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -53,6 +53,15 @@ </fix> </changelog> </subsection> + <subsection name="Web applications"> + <changelog> + <add> + Configure the Manager and Host Manager applications to set + <code>SameSite=strict</code> for all cookies, including session cookies, + created by the application. (markt) + </add> + </changelog> + </subsection> <subsection name="Other"> <changelog> <update> diff --git a/webapps/host-manager/META-INF/context.xml b/webapps/host-manager/META-INF/context.xml index 8d1f61d..1fa3a5a 100644 --- a/webapps/host-manager/META-INF/context.xml +++ b/webapps/host-manager/META-INF/context.xml @@ -16,6 +16,8 @@ limitations under the License. --> <Context antiResourceLocking="false" privileged="true" > + <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" + sameSiteCookies="strict" /> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> diff --git a/webapps/manager/META-INF/context.xml b/webapps/manager/META-INF/context.xml index 0217745..120b7ab 100644 --- a/webapps/manager/META-INF/context.xml +++ b/webapps/manager/META-INF/context.xml @@ -16,6 +16,8 @@ limitations under the License. --> <Context antiResourceLocking="false" privileged="true" > + <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" + sameSiteCookies="strict" /> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org