Hi My general recollection is cross site scripting must include the specific allowable domains in the configuration for this to work. Allowing cross site scripting from all domains is very bad.
John Orendt john.p.ore...@medtronic.com -----Original Message----- From: John <john.ili...@iliffe.ca> Sent: Tuesday, January 18, 2022 3:36 PM To: Apache <users@httpd.apache.org> Subject: [EXTERNAL] [users@httpd] Source of JSESSIONID Cookie I am developing a payment function that requires data to be loaded from a third-party URL. Firefox is throwing errors such as: 1. Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected 2 2 Cookie “JSESSIONID” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. card.html 3. Cookie “JSESSIONID” has been rejected because it is in a cross- site context and its “SameSite” is “Lax” or “Strict”. These are default cookies from somewhere; my code doesn't set or manage them. Searching the web suggests that these are http server cookies but I can't find anything explicit in the Apache documentation. From httpd.conf : 152:#LoadModule session_module modules/mod_session.so 153:#LoadModule session_cookie_module modules/mod_session_cookie.so so the session cookie modules are not loaded. Does anyone know how to set the correct "Samesite" value in this type of cookie? Or prevent the cookie from being sent? I'm not sure what I need to set since I WANT to allow cross-site responses to the browser to pick up response data not coming from my server. Neither "lax" nor "strict" seems right to me; maybe just not send the cookie? Thanks in advance. John ============== --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
