Allow RFC6265 Cookies to include optional SameSite attribute.

[joakime]

Per https://tools.ietf.org/html/draft-west-first-party-cookies-07
and https://caniuse.com/#search=samesite

There is a new "SameSite" attribute that the Set-Cookie syntax which allows servers to assert that a cookie ought not to be sent along with cross-site requests.

[joakime]

Currently, there's 3 defined values present in the draft spec "None", "Strict", and "Lax".

Evaluate if we would need to update org.eclipse.jetty.http.HttpCookie to include this information.
Should this be a setting that applications can use?
Can this be configured as a ServletContext attribute? (possibly values: "Excluded", "None", "Strict", "Lax")?

[joakime]

This could also become a CookieCompliance configurable behavior for the ServerConnector.

[BruceMacD]

I've been working on some SameSite behavior in Jetty due to the upcoming changes in Google Chrome. If there is interest I could add some tests to my implementation and can provide a pull request. My current implementation updates the org.eclipse.jetty.http.HttpCookie and org.eclipse.jetty.server.Response.addSetRFC6265Cookie().

I have the default behavior to exclude the specifier by default due to some unexpected browser behaviors [1].

Let me know if there would be any more expectations here.

[1] https://bugs.webkit.org/show_bug.cgi?id=198181

[sbordet]

@BruceMacD a PR would be great.

[joakime]

Note: javax.servlet.http.Cookie does not support this extra attribute as well.
Should perhaps also add an issue at https://github.com/eclipse-ee4j/servlet-api for this. (it might be possible to have it show up in a release as early as Jakarta EE 9)

The CookieCompliance class should be updated to allow HttpConfiguration based control of this SameSite behavior.
(Possibly similar to how HttpCompliance operates)

[joakime]

The title references https://tools.ietf.org/html/rfc6265
But that RFC doesn't have the SameSite attribute.

[sparklton]

It works good, but what about the JSESSIONID cookie? This cookie is created internally by Jetty somewhere, how do we make it include the SameSite requirements as well. I see warnings in Chrome browsers about this.

[joakime]

@sparklton i opened Issue #4247 to discuss this further.