HttpCookie.Builder does not allow removing SameSite

[robtimus]

Jetty version(s)
12.1.0

Jetty Environment
core

Java version/vendor (use: java -version)
openjdk version "17.0.15" 2025-04-15
OpenJDK Runtime Environment Temurin-17.0.15+6 (build 17.0.15+6)
OpenJDK 64-Bit Server VM Temurin-17.0.15+6 (build 17.0.15+6, mixed mode, sharing)

OS type/version
Microsoft Windows [Version 10.0.26100.4946]

Description
HttpCookie.Builder allows setting several attributes, including customized methods for well-known attributes. It also allows removing all of these attributes except for one: SameSite. Where values for attributes like Expires contain null checks (see

jetty.project/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java

Line 632 in c8372b6

if (expires != null)

), such a check is missing for SameSite (see

jetty.project/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java

Line 656 in c8372b6

_attributes = lazyAttributePut(_attributes, SAME_SITE_ATTRIBUTE, sameSite.attributeValue);

). As a result, trying to clear the SameSite attribute this way results in a NullPointerException.

The alternative using .attribute("SameSite", null) will also fail due to the null check at

jetty.project/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java

Line 574 in c8372b6

if (sameSite == null)

. As a result, once it has been set the SameSite attribute can never be removed again.

How to reproduce?

HttpCookie.build("name", "value")
        .expires(Instant.now()) // succeeds
        .expires(null) // succeeds
        .sameSite(SameSite.STRICT) // succeeds
        .sameSite(null); // fails with a NullPointerException

HttpCookie.build("name", "value")
        .sameSite(SameSite.STRICT) // succeeds
        .attribute(HttpCookie.SAME_SITE_ATTRIBUTE, null) // fails with an IllegalArgumentException