[JBoss JIRA] (WFLY-13003) Support the SameSite cookie attribute

Thursday, 23 January 2020

    [
https://issues.redhat.com/browse/WFLY-13003?page=com.atlassian.jira.plugi...
] 

Masafumi Miura edited comment on WFLY-13003 at 1/23/20 5:53 AM:
----------------------------------------------------------------

I've already raised UNDERTOW-1600 which is related to this feature.

I've just updated a PR for UNDERTOW-1600
https://github.com/undertow-io/undertow/pull/816 which contains the following changes:

- Add support for the SameSite=None attribute
- Add SameSiteCookieHandler that can set the SameSite attribute on all cookies
- Add a utility class SameSiteNoneIncompatibleClientChecker to detect user agents which
are incompatible with the SameSite=None attribute. The regex is based on
https://www.chromium.org/updates/same-site/incompatible-clients

The SameSiteCookieHandler can be enabled with the predicate name
"samesite-cookie" through expression-filter in the undertow subsystem. For
example:

{code:xml}
        <subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
            ...
            <server name="default-server">
                ...
                <host name="default-host" alias="localhost">
                    <location name="/"
handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <!-- <filter-ref name="dump-request"/> -->
                    <filter-ref name="samesite-cookie"/> <!-- add this
-->
                </host>
            </server>
            ...(snip)...
            <filters>
                <!-- <expression-filter name="dump-request"
expression="dump-request"/> -->
                <expression-filter name="samesite-cookie"
expression="samesite-cookie(mode=strict)"/> <!-- add this -->
                <!-- or add the following for Lax or None attribute -->
                <!-- <expression-filter name="samesite-cookie"
expression="samesite-cookie(mode=lax)"/> -->
                <expression-filter name="samesite-cookie"
expression="samesite-cookie(mode=none)"/>
            </filters>
        </subsystem>
{code}

was (Author: mmiura):
I've already raised UNDERTOW-1600 which is related to this feature.

I've just updated a PR for UNDERTOW-1600
https://github.com/undertow-io/undertow/pull/816 which contains the following changes:

- Add support for the SameSite=None attribute
- Add SameSiteCookieHandler that can set the SameSite attribute on all cookies
- Add a utility class SameSiteNoneIncompatibleClientChecker to detect user agents which
are incompatible with the SameSite=None attribute

The SameSiteCookieHandler can be enabled with the predicate name
"samesite-cookie" through expression-filter in the undertow subsystem. For
example:

{code:xml}
        <subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
            ...
            <server name="default-server">
                ...
                <host name="default-host" alias="localhost">
                    <location name="/"
handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <!-- <filter-ref name="dump-request"/> -->
                    <filter-ref name="samesite-cookie"/> <!-- add this
-->
                </host>
            </server>
            ...(snip)...
            <filters>
                <!-- <expression-filter name="dump-request"
expression="dump-request"/> -->
                <expression-filter name="samesite-cookie"
expression="samesite-cookie(mode=strict)"/> <!-- add this -->
                <!-- or add the following for Lax or None attribute -->
                <!-- <expression-filter name="samesite-cookie"
expression="samesite-cookie(mode=lax)"/> -->
                <expression-filter name="samesite-cookie"
expression="samesite-cookie(mode=none)"/>
            </filters>
        </subsystem>
{code}

...
 Support the SameSite cookie attribute
 -------------------------------------

                 Key: WFLY-13003
                 URL: https://issues.redhat.com/browse/WFLY-13003
             Project: WildFly
          Issue Type: Feature Request
          Components: Web (Undertow)
            Reporter: Stuart Douglas
            Assignee: Flavia Rainone
            Priority: Major

 Chrome 80 is going to significantly change how cookies are handled, as per this notice at
[1], with a bit of an explanation of what the same site attribute means at [2].
 At the moment the Servlet specification has no way of setting this particular attribute,
and it is not possible to configure it via container specific configuration in WildFly at
present (it can only be done by writing some Undertow specific code).
 I propose we add a same-site-cookie-attribute predicated handler to undertow, which takes
an optional cookie name regex, and the value for the attribute to set.
 This would allow users to configure the SameSite attribute based on cookie name, and also
potentially based on any other attributes including user agent, as it sounds like some
browsers may have bugs that means this might need to be set on a per user agent basis.
 [1] https://www.chromestatus.com/feature/5088147346030592
 [2] https://web.dev/samesite-cookies-explained/ 

--
This message was sent by Atlassian Jira
(v7.13.8#713008)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006