-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#175 Add support for SameSite cookies #271
Conversation
The current Google Chrome 80 (canary builds) are already enforcing |
@aldaris this PR is failing the Eclipse ECA checks.
|
8010c93
to
637f1cd
Compare
@yang-wei The ECA related concerns should not be a problem any more, but the code still needs to be reviewed. |
637f1cd
to
7b4549f
Compare
for anyone who is looking for alternative, we do this for our scala code private def setNoneSamesiteCookie(response: HttpServletResponse) {
val setCookieHeader = "Set-Cookie"
val l = new ListBuffer[String]()
response.getHeaders(setCookieHeader).toArray().foreach(s => {
l += String.format("%s; %s", s, "SameSite=None")
})
l.toList match {
case head :: tail => {
// this will clean all headers and set the first header with samesite
response.setHeader(setCookieHeader, head)
tail.foreach(s => {
response.addHeader(setCookieHeader, s)
})
}
case Nil => None
}
} |
Ok, but isn't that overriden if we set other Cookies ? |
overriden with the attribute SameSite=None. |
934de5d
to
6e10cb3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid using user's default locale in toUpperCase.
Also, perhaps don't override toString()
for literal, instead have new toLiteral()
method?
I've used Also I was wondering if you were happy with the current wording of the JavaDoc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 from me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few more changes... but almost there!
* | ||
* <p> | ||
* Note that this mode is browser dependent, and browsers may require cookies to have the {@literal Secure} | ||
* attribute to be set at the same time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/*
I wonder if this should mention the horrors of:
https://www.chromium.org/updates/same-site/incompatible-clients
Chances are it would turn outdated eventually though.
*/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a general warning that browsers may interpret spec differently is fine.... Perhaps we should say that on every feature :)
If you can give me a final thumbs up on the review, I'll squash my commits so you can merge this. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@aldaris I can squash and merge from git if you like. |
dc3041b
to
f82c842
Compare
I thought the plan was not to change the API at all for 5.0. Or is this planned for 5.1? If so, we need to create a 5.0.x branch. |
@markt-asf good question. But we really need to make changes like this to stay relevant. @bshannon thoughts? |
You definitely can't change the javax version. You can make changes like this in 5.0, but the review process requires you to call them out, It would probably be best to engage with the platform project team and/or the spec committee |
The argument to include this feature in 5.0 is that browsers already support this feature, there is demand for its usage and containers are already adding non-standard configuration to support it. To not have it in 5.0 just makes the standard less relevant to current needs. For now I'll leave this unmerged until we engage with platform project team and/or the spec committee and develop firm plans for 5.0 and 5.1 |
Signed-off-by: Peter Major <peter.major@forgerock.com>
Signed-off-by: Peter Major <peter.major@forgerock.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some minor changes related to now targetting 5.1, but other than that I think it is mostly ready to go.
Once this goes in we need to add some TCK tests for it though, and we have not really sorted out exactly how that is going to work yet.
* | ||
* @see jakarta.servlet.http.Cookie#setSameSite(SameSite) | ||
* | ||
* @since Servlet 5.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be 5.1 now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And replace <tt>
over all place by <code>
or {@code}
. The <tt>
is disallowed since the HTML5 era and newer versions of the Javadoc tool is prone to error out on them.
* | ||
* @see jakarta.servlet.http.Cookie#getSameSite | ||
* | ||
* @since Servlet 5.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
5.1
* @param sameSite the <i>SameSite</i> attribute's value; may be null if the attribute should be a container | ||
* provided context default or not set if there is no context default. | ||
* | ||
* @since Servlet 5.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
5.1
* @return the <i>SameSite</i> attribute associated with this cookie; may be null to indicate that the attribute | ||
* should be a container provided context default or not set if there is no context default. | ||
* | ||
* @since Servlet 5.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
5.1
/** | ||
* The available values that can be used with the cookie's <i>SameSite</i> attribute. | ||
*/ | ||
public enum SameSite { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO this should be a javadoc only feature. I don't see any benefit to including this in the ServletContext.
This also needs an entry in the changelog of the spec document |
Any update on this? |
Could someone show up and explain what is happening with this PR? I've been willing to set the samesite attribute in my cookies for so long and this PR has been blocked for months, apparently waiting for small changes. |
Would be great to see this one merged in. |
* Retrieves the {@link SameSite} instance from its String representation. | ||
* | ||
* @param value the String to be converted | ||
* @return the corresponding {@link SameSite} enum |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should document @throws IllegalArgumentException
as well for the unhappy path.
Oh man, this should have been merged ages ago. It was reported in #175 in 2017, you got a generous PR in 2019 and now is 2021 and it's still in limbo. I never imagined it would take so many years to add a damn property to cookies. Everybody builds workarounds since ages because of this! Can't you just swap the My apologies for the rudeness. |
It was proposed 2016 https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site but indeed still hasn't yet ended up in the standard spec, they're after 5 years still drafting it https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-07 (7th revision!) The current PR uses a predefined enum instead of a free text string and this moving target is very prone to cause forward and backward compatibility problems in the future. It's much better to add a generic Cookie#setAttribute method as suggested here #175 (comment) until they have crystallized it into the spec. |
I've prepped a PR to add Cookie#setAttribute: #399 |
* Add Cookie#setAttribute #175 #271 * Skip null value from check for reserved token * Alternative approach to cookie attribute handling github.com//pull/399#discussion_r624276777 * Make sure path is referenced via constant * In hindsight, token check doesn't need to be performed on value * Match casing with spec; mapping is case insensitive anyway * Optimized Cookie to lazily create attribute map * Added junit test * Updates from review * Fixed quote * surefire plugin * Updates from review * Updates from review Co-authored-by: Bauke Scholtz <balusc@gmail.com>
This has been superseded by the addition of generic attribute support. |
@markt-asf Do you have a link for the generic attribute support? To which version was this added? This would make it more future proof - nice. |
#401 - it will be in Servlet 6.0 |
Damn 6.0 is quite late - so now there is no solution for 5.1, right? |
I think this issue should be reopened and implemented in Servlet 6.1 The SameSite attribute it's too important to be declassed as a generic attribute, If I use the generic setAttribute method and make a typo, For real world developers it's really important to have a set-in-stone fundamental attribute like this one https://web.dev/articles/samesite-cookie-recipes?hl=en |
SameSite spec is still in draft mode: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-13 13th cycle already! |
@pizzi80 I actually think the generic Esp considering how quickly the Cookie spec is evolving.
It's not ideal to have to wait for another Servlet spec release (and associated implementations) to handle the evolution of Cookie in your webapp. |
Why can't you? There is the spec committee on one side and reality on the other. |
You can make typos in many places in Servlet and your webapp may no longer work. |
Browsers don't represent a spec.
Jakarta EE isn't a random "3rd party library". Jakarta EE is also a spec. Just use |
This PR adds support for SameSite attributes, allowing consumers of the API setting cookies with SameSite flags None, Lax, and Strict.
#175