You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Chrome and other browsers are starting to require cookies contain the SameSite attribute.
This is not currently available in the Java Servlet 3.1 or 4.0 specification.
This only affects cookies that are not marked as secure which means the connection is not using TLS.
Deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected.
Cookie SameSite Configuration or default behavior
Description
Chrome and other browsers are starting to require cookies contain the
SameSiteattribute.This is not currently available in the Java Servlet 3.1 or 4.0 specification.
This only affects cookies that are not marked as secure which means the connection is not using TLS.
https://www.chromestatus.com/feature/5633521622188032
More recent versions of Apache Tomcat do seem to have some support for this capability.
It is also possible to manually write the
Set-Cookieheader, but this has a bunch of problems as well.Additional context
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
This PR may contain what we need, we'll see if we can pick this up without moving to Tomcat 9 or 10.
apache/tomcat#162
https://security.stackexchange.com/a/187671/188227
https://www.chromestatus.com/feature/5088147346030592
The text was updated successfully, but these errors were encountered: