Investigate SameSite Cookie Support #1828
Assignees
Comments
|
As discussed on the ML, there's no sensible route to implement this from Lift's POV until the servlet API adds the functionality. We'll keep an eye on the servlet spec and make an addition to our API once they do what they need to do on their end. |
|
As a reference, here a PR for Servlet API to have support for SameSite cookies -> jakartaee/servlet#271 With that, I think Lift can add SameSite cookies support too. Since that will take time, here a workaround in the meantime -> https://dev.to/csaltos/lift-webframework-samesite-cookie-workaround-nl0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SameSite Cookies are gaining some traction recently, now having support in Chrome and Opera. Lift isn't particularly prone to CSRF by its design anyhow, but setting the SameSite attribute would probably be an additional barrier to CSRF / XSS in the event the developer wanted to set a cookie that was not HTTPOnly.
Related ML thread: https://groups.google.com/d/msg/liftweb/bKFoFctcY8k/KuJKGZX_CwAJ
The text was updated successfully, but these errors were encountered: