-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Thad,
On 8/17/19 17:06, Thad Humphries wrote:
> I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06
> (4.12.0). I've encountered a problem with Chrome Canary Version
> 78.0.3886.0 which installed today, August 17th, 2019.
>
> When beginning the session with my server, Chrome will not honor
> the JSESSIONID cookie. In the Chrome console is the warning:
>
>
> "[Deprecation] A cookie associated with a cross-site resource at
> http://localhost/ was set without the `SameSite` attribute. A
> future release of Chrome will only deliver cookies with cross-site
> requests if they are set with `SameSite=None`. You can review
> cookies in developer tools under Application>Storage>Cookies and
> see more details at
> https://www.chromestatus.com/feature/5088147346030592.;
>
>
> Chrome 76 (the stable release) works fine, and Canary works if I
> disable the "SameSite by default cookies"
> (chrome://flags/#same-site-by-default-cookies). However the link in
> the deprecation warning notes that this feature will be enabled by
> default in Chrome 80.
>
> I've read the CookieProcessor docs (
> https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html)
>
>
which leads me to believe that sameSiteCookies is set to none by default
.
> However I don't see that in Chrome's DevTools, nor in the
> JSESSIONID I receive when testing my server app with Insomnia
> v6.6.2. I have tried setting the CookieProcessor explicitly by
> adding
>
>
>
>
> to conf/context.xml but to no effect.
The default is "none". When it's set to "none" (or not set it all,
because it's the default, then you get "none".
> BTW, I'm using https://github.com/eBay/cors-filter for my CORS
> filters. I don't think my apps will be run in something other than
> Tomcat's, but can't say that for certain (certainly my boss and
> customer support manager want me to stay as generic as possible).
>
> Am I missing something? How can I fix this issue?
When the value is "none", then no SameSite attribute is sent. At all.
It doesn't send "SameSite=none" to the browser. It sends nothing.
Chrome is complaining about the SameSite attribute not being sent. If
you want Chrome to stop complaining, then set the sameSite attribute
to something *other than* "none".
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1YqKUACgkQHPApP6U8
pFjwPw/+LSsJOiXJx264b1bjDndiBaHY1t3IJTFIHPBSKJI5qTuIGQdEDrzeUZlE
/Bb4uQK/D88jW6kfJp48r6bAesBpV9ZqTUBUdzSOjT7xu/5/ZvHMgWAzC5ORgVAR
7dvW365FuvxjW7Zloolz7ucNlGR/jZoIBiPLWo8wHznPJDhMy4GceJMaFttsJxLq
58QIuGK16OE+eGd5r+662irPx2GgUo0M/ffU0WE7kMLCYx4/sad0cNim9ZGB2Lup
ZNOvs4zQ4ZE7GIkJM7DE6cyFWxvBChk0eWUy3fSWj23GjWO3miEjOKPx71D+/K9y
zC+d+lSlOU8dtf/42LENn6FbjJn/9xYJqh9hqOU45mFS3NmtZjH8ygdIvIiYnBcM
Ey3cRMdWBArfTkW+J3mtD7AX2Eu/KCU+IYHfTF4+LkI0E+2ZelH5/leh9WymP8oE
J7wZVtKahtluTRpQR+cNfJO2iFPo3O9SgKLm/XDPbPsaxq49mVEPzC/9GGcw1OFX
bfy61ougsxpzP7t+OZK3nZ979bSVbvm8FjwbWud5rKEW6kWgnZjWD6N2ZNu6MZZh
re1gJ2ZaEjl5cU1W4J6c66wM3upXeo/cMgh7d6XwBTsiAeE69HPaPd5y+QLeBHcv
krCDyM8991XeiGgvL3rtXgdzoJ0uZPAoYfIgTFRX98+Gthhr8KI=
=YE+P
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org