Petr Kadlec created CXF-9072:
--------------------------------
Summary: NewCookieHeaderProvider does not support SameSite
attribute on cookies
Key: CXF-9072
URL: https://issues.apache.org/jira/browse/CXF-9072
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 3.6.4
Reporter: Petr Kadlec
{{ResponseImpl.getCookies}} (which works via {{NewCookieHeaderProvider}}) does
not work for cookies using the {{SameSite}} attribute.
Example:
{code:java}
System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie:
sessionId=38afes7a8"))
System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie:
sessionId=38afes7a8;Comment=none"))
System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie:
sessionId=38afes7a8;SameSite=none"))
{code}
Expected output:
{quote}
Set-Cookie: sessionId=38afes7a8;Version=1
Set-Cookie: sessionId=38afes7a8;Comment=none;Version=1
Set-Cookie: sessionId=38afes7a8;SameSite=none;Version=1
{quote}
Current output:
{quote}
Set-Cookie: sessionId=38afes7a8;Version=1
Set-Cookie: sessionId=38afes7a8;Comment=none;Version=1
SameSite=none;Version=1
{quote}
Note that the SameSite attribute is mistaken for the cookie name and value. (!)
In addition to explicitly supporting the SameSite attribute, it would be much
better if the parser behaved in a forward-compatible manner, at the very least
_ignoring_ unknown attributes, or better, keeping them in a general attribute
map. (Cf. [Jakarta’s `Cookie`
class|https://jakarta.ee/specifications/servlet/6.0/apidocs/jakarta.servlet/jakarta/servlet/http/cookie#getAttributes()].)
See also [the current valid Set-Cookie
syntax|https://httpwg.org/specs/rfc6265.html#sane-set-cookie].)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
