Simone, > On 19 Nov 2019, at 20:28, Simone Bordet <simone.bor...@gmail.com> wrote: > > Hi, > > Google Chrome is about to support a new attribute called `SameSite` in > cookies. > https://blog.chromium.org/2019/10/developers-get-ready-for-new.html. > I guess other browsers will soon follow. > > The specification > (https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) is > still in draft, but Chrome 80 (currently unstable) already support the > SameSite attribute and issues a warning when not present.
SameSite support seems like it could be important. > On the Servlet APIs side, this is being worked on at > https://github.com/eclipse-ee4j/servlet-api/issues/175. > > Currently JDK cookie classes do not support (obviously) this new > attribute, but I wanted to start a discussion to support this in Java > 11's HttpClient and in java.net.[HttpCookie|CookieManager|CookieStore] > classes, possibly with backport to Java 11. > > Would be great if the current Java cookie classes can be "refreshed" > to support the new cookie RFCs, namely 6265 and 6265bis. I’m still doing some background reading, but it seems at the very minimum that the less-than-fresh java.net.HttpCookie would need to know about, and support, the SameSite attribute. Currently attributes are modelled through a pair of explicit per-attribute mutators and accessors, so ( following that style ) SameSite would need a new pair of these. ( maybe a more general modelling of attributes is needed? ) Without a general modelling of attributes, and without SameSite being published as part of an RFC, then I’d be reluctant to bake SameSite into the Java SE Specification ( as a pair of mutators and accessors methods ). Maybe I’m missing your point or making an incorrect assumption ( I’m still digesting some of this material )? -Chris.
