Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1024

Add an experimental support for SameSite Cookie attribute

    XMLWordPrintable

Details

    • Feature Request
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 2.0.0.Beta1
    • Core
    • None

    Description

      There is a new internet draft which updates RFC6265 to add the "SameSite" attribute to Cookie.

      https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

      The OWASP's SameSite page desribes:

      SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.

      Further references and examples are also available in the followings.

      http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
      https://scotthelme.co.uk/csrf-is-dead/
      https://blogs.dropbox.com/tech/2017/03/preventing-cross-site-attacks-using-same-site-cookies/

      It's worthy to start adding an initial experimental support for the Same-site Cookie in Undertow.

      Of course, I understand it's still draft status and not yet fully implemented in many browsers at this moment. Also I understand that it will not be available within servlet application unless the servlet API javax.servlet.http.Cookie has been updated to add support for it.

      Attachments

        Activity

          People

            sdouglas1@redhat.com Stuart Douglas
            rhn-support-mmiura Masafumi Miura
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: