Upgr to Play 2.6.25 with SameSite cookie field.

debiki · Mar 3, 2020 · 1308acd · 1308acd
1 parent 124ad68
commit 1308acd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/app/ed/server/security/package.scala b/app/ed/server/security/package.scala
@@ -556,6 +556,24 @@ class EdSecurity(globals: Globals) {
     path = "/",
     domain = None,
     secure = globals.secure,
+    sameSite =
+      // Later, could change to Lax or even Strict, for session id cookie,
+      // and, when embedded, always send session id via header instead?
+      // Or now directly? There are SameSite: None incompatible browsers:
+      // https://www.chromium.org/updates/same-site/incompatible-clients
+      // Ok explanation of Strict, Lax and None:
+      //   https://web.dev/samesite-cookies-explained/
+      /* if (globals.skipSameSiteCookieAttr) {
+        None
+      }
+      else */
+      if (globals.secure) {
+        Some(Cookie.SameSite.None)
+      }
+      else {
+        // SameSite.None only works with https.
+        None
+      },
     httpOnly = false)
 
 

diff --git a/project/plugins.sbt b/project/plugins.sbt
@@ -18,7 +18,7 @@ resolvers ++= Seq(
   Resolver.sbtPluginRepo("releases")) // =  https://repo.scala-sbt.org/scalasbt/sbt-plugin-releases/
 
 // Use the Play sbt plugin for Play projects
-addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.6.22")    // newest 6x, as of 19-05-12
+addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.6.25")    // newest 6x, as of 20-02-27,
 
 
 // Dependency tree, https://github.com/jrudolph/sbt-dependency-graph