OpenGrokProject cookie misusing the sameSite attribute #3164
Comments
|
This is a new thing introduced lately in the browser's security and enforced by browsers at the moment. It's about limiting the cookies usage in third-party contexts. (It's not connected to your setup) |
|
For the record the cookie is born in Cookie cookie = new Cookie(PageConfig.OPEN_GROK_PROJECT, URLEncoder.encode(cookieValue, "utf-8"));and the J2EE object allows to set the |
okay, so something we will need to address. |
|
As this is a new thing, it may require to update the servlet-api (where the Cookie object is). More details is at jakartaee/servlet#175 (wasn't looking all through that, so it may not be resolved yet). If update is not applicable, we'd need to set the cookie directly, so instead of: we need: |
|
As I was already tackling this in my company, I had a problem when multiple cookies were being set at a time - if this is experienced - it is possible to use one Set-Cookie directive and join the cookies with |
|
I went through the debate on the EE4J PR and there seems to be a great deal of complexity w.r.t. getting this API in for such small change. Even if the PR was merged in, we would have to do some bunny hops to get to the new Servlet API. jakartaee/servlet#271 (comment) suggests to configure this on the container level (Tomcat) however I'd like to have the control in the web app. |
FF 76 claims this when loading the index page with developer tab on:
Not sure this is related to my deployment however this is something we might need to investigate.
The text was updated successfully, but these errors were encountered: