Re: Chome Canary and SameSite cookie setting

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thad,

On 8/17/19 17:06, Thad Humphries wrote:
> I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06
> (4.12.0). I've encountered a problem with Chrome Canary Version
> 78.0.3886.0 which installed today, August 17th, 2019.
> 
> When beginning the session with my server, Chrome will not honor
> the JSESSIONID cookie. In the Chrome console is the warning:
> 
> 
> "[Deprecation] A cookie associated with a cross-site resource at 
> http://localhost/ was set without the `SameSite` attribute. A
> future release of Chrome will only deliver cookies with cross-site
> requests if they are set with `SameSite=None`. You can review
> cookies in developer tools under Application>Storage>Cookies and
> see more details at 
> https://www.chromestatus.com/feature/5088147346030592.;
> 
> 
> Chrome 76 (the stable release) works fine, and Canary works if I
> disable the "SameSite by default cookies" 
> (chrome://flags/#same-site-by-default-cookies). However the link in
> the deprecation warning notes that this feature will be enabled by
> default in Chrome 80.
> 
> I've read the CookieProcessor docs ( 
> https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html)
>
> 
which leads me to believe that sameSiteCookies is set to none by default
.
> However I don't see that in Chrome's DevTools, nor in the
> JSESSIONID I receive when testing my server app with Insomnia
> v6.6.2. I have tried setting the CookieProcessor explicitly by
> adding
> 
> 
> 
> 
> to conf/context.xml but to no effect.

The default is "none". When it's set to "none" (or not set it all,
because it's the default, then you get "none".

> BTW, I'm using https://github.com/eBay/cors-filter for my CORS
> filters. I don't think my apps will be run in something other than
> Tomcat's, but can't say that for certain (certainly my boss and
> customer support manager want me to stay as generic as possible).
> 
> Am I missing something? How can I fix this issue?

When the value is "none", then no SameSite attribute is sent. At all.
It doesn't send "SameSite=none" to the browser. It sends nothing.
Chrome is complaining about the SameSite attribute not being sent. If
you want Chrome to stop complaining, then set the sameSite attribute
to something *other than* "none".

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1YqKUACgkQHPApP6U8
pFjwPw/+LSsJOiXJx264b1bjDndiBaHY1t3IJTFIHPBSKJI5qTuIGQdEDrzeUZlE
/Bb4uQK/D88jW6kfJp48r6bAesBpV9ZqTUBUdzSOjT7xu/5/ZvHMgWAzC5ORgVAR
7dvW365FuvxjW7Zloolz7ucNlGR/jZoIBiPLWo8wHznPJDhMy4GceJMaFttsJxLq
58QIuGK16OE+eGd5r+662irPx2GgUo0M/ffU0WE7kMLCYx4/sad0cNim9ZGB2Lup
ZNOvs4zQ4ZE7GIkJM7DE6cyFWxvBChk0eWUy3fSWj23GjWO3miEjOKPx71D+/K9y
zC+d+lSlOU8dtf/42LENn6FbjJn/9xYJqh9hqOU45mFS3NmtZjH8ygdIvIiYnBcM
Ey3cRMdWBArfTkW+J3mtD7AX2Eu/KCU+IYHfTF4+LkI0E+2ZelH5/leh9WymP8oE
J7wZVtKahtluTRpQR+cNfJO2iFPo3O9SgKLm/XDPbPsaxq49mVEPzC/9GGcw1OFX
bfy61ougsxpzP7t+OZK3nZ979bSVbvm8FjwbWud5rKEW6kWgnZjWD6N2ZNu6MZZh
re1gJ2ZaEjl5cU1W4J6c66wM3upXeo/cMgh7d6XwBTsiAeE69HPaPd5y+QLeBHcv
krCDyM8991XeiGgvL3rtXgdzoJ0uZPAoYfIgTFRX98+Gthhr8KI=
=YE+P
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Chome Canary and SameSite cookie setting

[Thad Humphries]

I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 (4.12.0).
I've encountered a problem with Chrome Canary Version 78.0.3886.0 which
installed today, August 17th, 2019.

When beginning the session with my server, Chrome will not honor the
JSESSIONID cookie. In the Chrome console is the warning:


"[Deprecation] A cookie associated with a cross-site resource at
http://localhost/ was set without the `SameSite` attribute. A future
release of Chrome will only deliver cookies with cross-site requests if
they are set with `SameSite=None`. You can review cookies in developer
tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592.;


Chrome 76 (the stable release) works fine, and Canary works if I disable
the "SameSite by default cookies"
(chrome://flags/#same-site-by-default-cookies).
However the link in the deprecation warning notes that this feature will be
enabled by default in Chrome 80.

I've read the CookieProcessor docs (
https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html)
which leads me to believe that sameSiteCookies is set to none by default.
However I don't see that in Chrome's DevTools, nor in the JSESSIONID I
receive when testing my server app with Insomnia v6.6.2. I have tried
setting the CookieProcessor explicitly by adding




to conf/context.xml but to no effect.

BTW, I'm using https://github.com/eBay/cors-filter for my CORS filters. I
don't think my apps will be run in something other than Tomcat's, but can't
say that for certain (certainly my boss and customer support manager want
me to stay as generic as possible).

Am I missing something? How can I fix this issue?

-- 
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 111-13)

Re: How to find war file name programmatically?

[W]

 ServletContext.getRealPath("/") works for me.Thanks.
On Tuesday, August 13, 2019, 01:43:35 AM PDT, Mark Thomas 
 wrote:  
 
 On 12/08/2019 23:18, W wrote:
> Hi,
> I would like to find the war file name (for example, 
> ROOT##2019-08-12-10-44.war) inside  
> ServletContextListener.contextInitialized() and 
> ServletContextListener.contextDestroyed(). So I can send email to admins warn 
> them which app is up and down. 
> Is there a way to do it?

It isn't guaranteed to work in all circumstances but try:

ServletContext.getRealPath("/")

If that doesn't work then - assuming you can use reflection - something
along these lines:

Obtain the ServletConext.
Cast it to org.apache.catalina.core.ApplicationContext

Use reflection to read the context field or call getContext() which will
return a StandardContext instance.

Then you have various options:
- call getDocbase()
- call getPath() and getWebappVersion()

and there are probably plenty of other similar approaches that would work.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org