Chris, Yes, the SameSite attribute is still in a draft and this causes the mess, at least partly.
And yes, I was thinking about something like that - CookieProcessor.generateCookie(String userAgent, Cookie) or CookieProcessor.generateCookie(Map<> requestHeaders, Cookie). I absolutely agree that this would be very hacky. And it might be dangerous as CookieProcessor is an interface and there already might be custom implementations. But can you think of another way of making the cookie generation logic aware of the user agent header value? Lazar On Fri, Feb 14, 2020 at 8:59 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Lazar, > > On 2/14/20 05:36, Lazar Kirchev wrote: > > Chris, > > > > Just FYI or in case someone else hits this problem. > > > > Actually I had to use the response wrapper approach for Tomcat > > 8.5.50 as well. As described by Chrome in > > https://www.chromium.org/updates/same-site/incompatible-clients, > > there are older browser versions which do not support the SameSite > > attribute at all and reject the cookies which contain it. Although > > Tomcat 8.5.42 and later provide the CookieProcessor configuration > > for the SameSite attribute, it is a problem if one wants to > > support older browser versions as well. > Wow, what a huge pain in the neck. I don't see anything in RFC 6265 > that says anything about rejecting cookies with unknown attributes, > but I also don't see anything prohibiting that behavior, either. Than > again, RFC 6265 doesn't mention the SameSite attribute at all, so ... > there is that. > > This is what you get when vendors try to implement standards before > they are standards. > > > Adding the SameSite attribute in order to support newest Chrome > > breaks the old ones as the configuration via the CookieProcessor > > does not allow for user agent sniffing. Even if you extend the > > existing CookieProcessor implementations or create your own, you > > cannot get the request headers in it so that you can check for the > > browser version. If one needs such flexibility, only the response > > wrapper helps. Do you think that it makes sense to provide a > > mechanism in the CookieProcessor to get access to the request > > headers in order to check the user agent? > Are you referring to CookieProcessor.generateCookie(Cookie)? So the > proposal would be to change that to > CookieProcessor.generateCookie(String userAgent, Cookie)? Or maybe > even CookieProcessor.generateCookie(Map<> rquestHeaders, Cookie)? > > It seems super hacky to do it that way, but I'm not sure I see another > option for introducing SameSite in a compatible way. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5G7hcACgkQHPApP6U8 > pFhBGg//fPcTiL5fYRfVKB7IbRe/T43UNIVzWYugujVQnJTP+owJnQvSXXPhvQgB > jJNNvuIyiqw03Z4EpychSaq9r0f1YHsp7cVkScu+vRPXR5B70Ny4vzSf0sNrFXSz > K2pDBIE7FlxhmBjdXaIAZbcmZKPQKbcpUWes898Ichh4XlBl5Ij2ZGYf86jENsoB > dFSc+pyMHjDrGilUcCDi6VNthJauB0JegTpm7Iwh1zJ64u9LgAcxHmfVkpz1RVUD > bL+c/WmEPBET1ebYy3tBmJXXbdqmDzJbMubYJYe5uDi1cseUmhiUhhk0I5M/DSeo > CCLelrHCcD8JJ049aLNOFXLNgiUquoe+zFlqlecNxI+6LzOEPUeYHCiAg6XqKggx > uCxcjEq6RTP8xHfRsVgk1r9X0pS/Zjhp9EPAN9LUc+QoC0MW8+ZwgsnSrIXVOfPa > Ln+NV+3Ve3F3vBi+apdoCq2U5I1K2Q0YYGiZyHknIWfqXtM1jycylcn2F0YZ/VMn > l1E6tkOb2owdnf6QJkcWibFFiEpWZqj9PsOipj/IQBaBAYOW4wMK6q2USU6reNGK > IjQ3aWJjPOaHSfqCPlxeAUW8lIsHkgtjJmX4zzXEOOpgIulMWzpDX8Ia1ItXLqVH > HPdI0j9I+Dl9tjRhLyy1FL2M7WNPFLhBD9qhJ9Eeli8SCtIAEzc= > =tR3G > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
