Re: [EXTERNAL] - Re: Partitioned cookies

2023-11-15 Thread Adam Warfield 
That's strange. I was not aware the proposal had expired. I've been working off 
of a few pages as it seemed Chrome/Edge were moving forward with Firefox at 
least showing positive support without committing.

https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/
  (October 2023)

https://github.com/mozilla/standards-positions/issues/678  (Firefox showing 
positive support, last updated 2022)

https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies

https://github.com/privacycg/CHIPS


Adam


From: Chuck Caldarale 
Sent: Wednesday, November 15, 2023 9:48 AM
To: Tomcat Users List 
Subject: [EXTERNAL] - Re: Partitioned cookies

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you feel that the email is suspicious, please report it using 
PhishAlarm.


On Nov 15, 2023, at 08:06, Adam Warfield  wrote:

The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but 
starting in 2024, browsers will begin enforcing the newer "Partitioned" 
attribute for third-party cookies. Is there a way to set this attribute within 
Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any 
webapps that are embedded within iframes across domains where those cookies 
will be rejected if not partitioned.


Looks like the CHIPS proposal:

Cookies Having Independent Partitioned State 
specification<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$>
datatracker.ietf.org<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$>
[ietf-logo-nor-180.png]<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/__;!!Obbck6kTJA!ZbFXogBE-lmZ3xovqF3YsoKYNLtMlNnrsEiA_SfTTvGWShrjsmioTAiQofWo4Ir5w1x4v6JfFDVDzeQ$>

expired this past May and no updated version has been submitted to IETF. Is 
there some other active standards document describing cookie partitioning?

  - Chuck

Partitioned cookies

2023-11-15 Thread Adam Warfield 
The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but 
starting in 2024, browsers will begin enforcing the newer "Partitioned" 
attribute for third-party cookies. Is there a way to set this attribute within 
Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any 
webapps that are embedded within iframes across domains where those cookies 
will be rejected if not partitioned.

Adam