-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Lazar,

On 2/21/20 10:29, Lazar Kirchev wrote:
> Yes, the SameSite attribute is still in a draft and this causes
> the mess, at least partly.> And yes, I was thinking about something
> like that - CookieProcessor.generateCookie(String userAgent,
> Cookie) or CookieProcessor.generateCookie(Map<> requestHeaders,
> Cookie). I
absolutely
> agree that this would be very hacky. And it might be dangerous as
> CookieProcessor is an interface and there already might be custom
> implementations.

We can fix that with default implementations, for Java versions that
support such thing (Java >= 1.8).

> But can you think of another way of making the cookie generation
> logic aware of the user agent header value?

Not really.

I have a preference for:

CookieProcessor.generateCookie(Map<> requestHeaders, Cookie)

This is because User-Agent might not be the only header which is
useful, here. For example, Google Chrome (amusingly enough) will be
removing the User-Agent header[1] in favor of "client hints"[2].

So you might have to look at more than one header at a time, including
possibly User-Agent.

- -chris

[1]
https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-
chrome/

[2] https://wicg.github.io/ua-client-hints/

> On Fri, Feb 14, 2020 at 8:59 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Lazar,
>
> On 2/14/20 05:36, Lazar Kirchev wrote:
>>>> Chris,
>>>>
>>>> Just FYI or in case someone else hits this problem.
>>>>
>>>> Actually I had to use the response wrapper approach for
>>>> Tomcat 8.5.50 as well. As described by Chrome in
>>>> https://www.chromium.org/updates/same-site/incompatible-clients,
>>>>
>>>>
there are older browser versions which do not support the SameSite
>>>> attribute at all and reject the cookies which contain it.
>>>> Although Tomcat 8.5.42 and later provide the CookieProcessor
>>>> configuration for the SameSite attribute, it is a problem if
>>>> one wants to support older browser versions as well.
> Wow, what a huge pain in the neck. I don't see anything in RFC
> 6265 that says anything about rejecting cookies with unknown
> attributes, but I also don't see anything prohibiting that
> behavior, either. Than again, RFC 6265 doesn't mention the SameSite
> attribute at all, so ... there is that.
>
> This is what you get when vendors try to implement standards
> before they are standards.
>
>>>> Adding the SameSite attribute in order to support newest
>>>> Chrome breaks the old ones as the configuration via the
>>>> CookieProcessor does not allow for user agent sniffing. Even
>>>> if you extend the existing CookieProcessor implementations or
>>>> create your own, you cannot get the request headers in it so
>>>> that you can check for the browser version. If one needs such
>>>> flexibility, only the response wrapper helps. Do you think
>>>> that it makes sense to provide a mechanism in the
>>>> CookieProcessor to get access to the request headers in order
>>>> to check the user agent?
> Are you referring to CookieProcessor.generateCookie(Cookie)? So
> the proposal would be to change that to
> CookieProcessor.generateCookie(String userAgent, Cookie)? Or maybe
> even CookieProcessor.generateCookie(Map<> rquestHeaders, Cookie)?
>
> It seems super hacky to do it that way, but I'm not sure I see
> another option for introducing SameSite in a compatible way.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5QEJgACgkQHPApP6U8
pFgC6w/7BzMCRdeR4Kldjigj6R48AUWcUorN0R1tQu4pxOT04DWPPkC+qXWoCtkT
MNB3VgAuqjPnNLUDaGskvhU73p4lGqa2Z2scFKfS7CjTDs/cgwTusl+/bHqynK1P
zxea0tU5DQvVUNbo5tvfWhwzoE/7/5lCcevkmBIwinktNr7+tOygIFvJl0vR7g5J
diXmOlG0ratoGcbxr6qCzb/X3q7aUwn2U/m3yakX6HXcWg4tbOeVX969w5NU4i7c
G+u5I+ayMqZt4DOU/5izuknsBUtvTEn36INoYaUmlK72KZofh9MOU56dSE/lyyPd
snL493LHkgnCjpA8Se4GDHEV/TUqvn1/c0sSRzf6dMgwnE2w61VtJVzDstklWhWW
0S9GoTb+yi89QLcCPSJA2ZWiS2kbPMnEPqxgHTFwkhnqKpyjr9hw4h5O4Qr6fLYs
bD8QihLWvyjoa4ImpIQZ3n+6556OEGYg6fUO/RKlx3cLB7nplsXUr0IxpE3XFW9T
iV4ZaiZHtT+CtrDVqy2DO1kzj5GAxaoUWTXsDN4sqCwvJnAUId1rBpz0B1yZPPQh
vPB3z6E1RmfOynY1ZWI+i3oJDd02ytsKsfnMaOYcYe8jE3WIsjvoCbzEQLr5nOQR
YBSm40NqgJt3Obb2w/5IuFzgTSLyIpy8wIopYIUSmI1qhTDSEZQ=
=mZj/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to