Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
Description
There is a new internet draft which updates RFC6265 to add the "SameSite" attribute to Cookie.
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
The OWASP's SameSite page desribes:
SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.
Further references and examples are also available in the followings.
http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
https://scotthelme.co.uk/csrf-is-dead/
https://blogs.dropbox.com/tech/2017/03/preventing-cross-site-attacks-using-same-site-cookies/
It's worthy to start adding an initial experimental support for the Same-site Cookie in Undertow.
Of course, I understand it's still draft status and not yet fully implemented in many browsers at this moment. Also I understand that it will not be available within servlet application unless the servlet API javax.servlet.http.Cookie has been updated to add support for it.