[jboss-jira] [JBoss JIRA] (WFLY-13003) Support the SameSite cookie attribute

Masafumi Miura (Jira) issues at jboss.org
Thu Jan 23 05:53:42 EST 2020 

    [ https://issues.redhat.com/browse/WFLY-13003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13955199#comment-13955199 ] 

Masafumi Miura edited comment on WFLY-13003 at 1/23/20 5:53 AM:
----------------------------------------------------------------

I've already raised UNDERTOW-1600 which is related to this feature.

I've just updated a PR for UNDERTOW-1600 https://github.com/undertow-io/undertow/pull/816 which contains the following changes:

- Add support for the SameSite=None attribute
- Add SameSiteCookieHandler that can set the SameSite attribute on all cookies
- Add a utility class SameSiteNoneIncompatibleClientChecker to detect user agents which are incompatible with the SameSite=None attribute. The regex is based on https://www.chromium.org/updates/same-site/incompatible-clients

The SameSiteCookieHandler can be enabled with the predicate name "samesite-cookie" through expression-filter in the undertow subsystem. For example:

{code:xml}
        <subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
            ...
            <server name="default-server">
                ...
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <!-- <filter-ref name="dump-request"/> -->
                    <filter-ref name="samesite-cookie"/> <!-- add this -->
                </host>
            </server>
            ...(snip)...
            <filters>
                <!-- <expression-filter name="dump-request" expression="dump-request"/> -->
                <expression-filter name="samesite-cookie" expression="samesite-cookie(mode=strict)"/> <!-- add this -->
                <!-- or add the following for Lax or None attribute -->
                <!-- <expression-filter name="samesite-cookie" expression="samesite-cookie(mode=lax)"/> -->
                <expression-filter name="samesite-cookie" expression="samesite-cookie(mode=none)"/>
            </filters>
        </subsystem>
{code}


was (Author: mmiura):
I've already raised UNDERTOW-1600 which is related to this feature.

I've just updated a PR for UNDERTOW-1600 https://github.com/undertow-io/undertow/pull/816 which contains the following changes:

- Add support for the SameSite=None attribute
- Add SameSiteCookieHandler that can set the SameSite attribute on all cookies
- Add a utility class SameSiteNoneIncompatibleClientChecker to detect user agents which are incompatible with the SameSite=None attribute

The SameSiteCookieHandler can be enabled with the predicate name "samesite-cookie" through expression-filter in the undertow subsystem. For example:

{code:xml}
        <subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
            ...
            <server name="default-server">
                ...
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <!-- <filter-ref name="dump-request"/> -->
                    <filter-ref name="samesite-cookie"/> <!-- add this -->
                </host>
            </server>
            ...(snip)...
            <filters>
                <!-- <expression-filter name="dump-request" expression="dump-request"/> -->
                <expression-filter name="samesite-cookie" expression="samesite-cookie(mode=strict)"/> <!-- add this -->
                <!-- or add the following for Lax or None attribute -->
                <!-- <expression-filter name="samesite-cookie" expression="samesite-cookie(mode=lax)"/> -->
                <expression-filter name="samesite-cookie" expression="samesite-cookie(mode=none)"/>
            </filters>
        </subsystem>
{code}

> Support the SameSite cookie attribute
> -------------------------------------
>
>                 Key: WFLY-13003
>                 URL: https://issues.redhat.com/browse/WFLY-13003
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>            Reporter: Stuart Douglas
>            Assignee: Flavia Rainone
>            Priority: Major
>
> Chrome 80 is going to significantly change how cookies are handled, as per this notice at [1], with a bit of an explanation of what the same site attribute means at [2].
> At the moment the Servlet specification has no way of setting this particular attribute, and it is not possible to configure it via container specific configuration in WildFly at present (it can only be done by writing some Undertow specific code).
> I propose we add a same-site-cookie-attribute predicated handler to undertow, which takes an optional cookie name regex, and the value for the attribute to set.
> This would allow users to configure the SameSite attribute based on cookie name, and also potentially based on any other attributes including user agent, as it sounds like some browsers may have bugs that means this might need to be set on a per user agent basis.
> [1] https://www.chromestatus.com/feature/5088147346030592
> [2] https://web.dev/samesite-cookies-explained/



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list