-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thad,
On 8/17/19 17:06, Thad Humphries wrote: > I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 > (4.12.0). I've encountered a problem with Chrome Canary Version > 78.0.3886.0 which installed today, August 17th, 2019. > > When beginning the session with my server, Chrome will not honor > the JSESSIONID cookie. In the Chrome console is the warning: > > > "[Deprecation] A cookie associated with a cross-site resource at > http://localhost/ was set without the `SameSite` attribute. A > future release of Chrome will only deliver cookies with cross-site > requests if they are set with `SameSite=None`. You can review > cookies in developer tools under Application>Storage>Cookies and > see more details at > https://www.chromestatus.com/feature/5088147346030592."; > > > Chrome 76 (the stable release) works fine, and Canary works if I > disable the "SameSite by default cookies" > (chrome://flags/#same-site-by-default-cookies). However the link in > the deprecation warning notes that this feature will be enabled by > default in Chrome 80. > > I've read the CookieProcessor docs ( > https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) > > which leads me to believe that sameSiteCookies is set to none by default . > However I don't see that in Chrome's DevTools, nor in the > JSESSIONID I receive when testing my server app with Insomnia > v6.6.2. I have tried setting the CookieProcessor explicitly by > adding > > <CookieProcessor sameSiteCookies="none"></CookieProcessor> > > > to conf/context.xml but to no effect. The default is "none". When it's set to "none" (or not set it all, because it's the default, then you get "none". > BTW, I'm using https://github.com/eBay/cors-filter for my CORS > filters. I don't think my apps will be run in something other than > Tomcat's, but can't say that for certain (certainly my boss and > customer support manager want me to stay as generic as possible). > > Am I missing something? How can I fix this issue? When the value is "none", then no SameSite attribute is sent. At all. It doesn't send "SameSite=none" to the browser. It sends nothing. Chrome is complaining about the SameSite attribute not being sent. If you want Chrome to stop complaining, then set the sameSite attribute to something *other than* "none". - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1YqKUACgkQHPApP6U8 pFjwPw/+LSsJOiXJx264b1bjDndiBaHY1t3IJTFIHPBSKJI5qTuIGQdEDrzeUZlE /Bb4uQK/D88jW6kfJp48r6bAesBpV9ZqTUBUdzSOjT7xu/5/ZvHMgWAzC5ORgVAR 7dvW365FuvxjW7Zloolz7ucNlGR/jZoIBiPLWo8wHznPJDhMy4GceJMaFttsJxLq 58QIuGK16OE+eGd5r+662irPx2GgUo0M/ffU0WE7kMLCYx4/sad0cNim9ZGB2Lup ZNOvs4zQ4ZE7GIkJM7DE6cyFWxvBChk0eWUy3fSWj23GjWO3miEjOKPx71D+/K9y zC+d+lSlOU8dtf/42LENn6FbjJn/9xYJqh9hqOU45mFS3NmtZjH8ygdIvIiYnBcM Ey3cRMdWBArfTkW+J3mtD7AX2Eu/KCU+IYHfTF4+LkI0E+2ZelH5/leh9WymP8oE J7wZVtKahtluTRpQR+cNfJO2iFPo3O9SgKLm/XDPbPsaxq49mVEPzC/9GGcw1OFX bfy61ougsxpzP7t+OZK3nZ979bSVbvm8FjwbWud5rKEW6kWgnZjWD6N2ZNu6MZZh re1gJ2ZaEjl5cU1W4J6c66wM3upXeo/cMgh7d6XwBTsiAeE69HPaPd5y+QLeBHcv krCDyM8991XeiGgvL3rtXgdzoJ0uZPAoYfIgTFRX98+Gthhr8KI= =YE+P -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
