Hi, Google Chrome is about to support a new attribute called `SameSite` in cookies. https://blog.chromium.org/2019/10/developers-get-ready-for-new.html. I guess other browsers will soon follow.
The specification (https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) is still in draft, but Chrome 80 (currently unstable) already support the SameSite attribute and issues a warning when not present. On the Servlet APIs side, this is being worked on at https://github.com/eclipse-ee4j/servlet-api/issues/175. Currently JDK cookie classes do not support (obviously) this new attribute, but I wanted to start a discussion to support this in Java 11's HttpClient and in java.net.[HttpCookie|CookieManager|CookieStore] classes, possibly with backport to Java 11. Would be great if the current Java cookie classes can be "refreshed" to support the new cookie RFCs, namely 6265 and 6265bis. Thanks! -- Simone Bordet --- Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability, the implementation technique must be flawless. Victoria Livschitz
