Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1024

Add an experimental support for SameSite Cookie attribute

    Details

    • Type: Feature Request
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 2.0.0.Beta1
    • Component/s: Core
    • Labels:
      None

      Description

      There is a new internet draft which updates RFC6265 to add the "SameSite" attribute to Cookie.

      https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

      The OWASP's SameSite page desribes:

      SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.

      Further references and examples are also available in the followings.

      http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
      https://scotthelme.co.uk/csrf-is-dead/
      https://blogs.dropbox.com/tech/2017/03/preventing-cross-site-attacks-using-same-site-cookies/

      It's worthy to start adding an initial experimental support for the Same-site Cookie in Undertow.

      Of course, I understand it's still draft status and not yet fully implemented in many browsers at this moment. Also I understand that it will not be available within servlet application unless the servlet API javax.servlet.http.Cookie has been updated to add support for it.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                swd847 Stuart Douglas
                Reporter:
                mmiura Masafumi Miura
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: