Initial SameSite Cookie support was implemented by
UNDERTOW-1024 2 year ago. It was based on https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00.
Though the specification is still draft, as per https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1, some part has been updated. For example:
- A new "None" attribute is added in addition to "Strict" and "Lax".
- A bare SameSite attribute is not supported. SameSite attribute needs to be set with "Strict", "Lax" or "None".
I would like to propose the following update for SameSite Cookie support:
- Define 3 SameSiteMode ("Strict", "Lax" and "None") as enum in io.undertow.server.handlers.Cookie
- Implement getSameSiteMode() and setSameSiteMode() in io.undertow.servlet.spec.ServletCookieAdaptor. Servlet API has not yet supported SameSite Cookie, but this can enable SameSite flag to the Servlet Cookie through the Undertow API
- Add SameSiteCookieHandler which can set the SameSite flag on all cookies or the cookie which matches specified name.
In addition, as per the articles https://web.dev/samesite-cookie-recipes/ and https://www.chromium.org/updates/same-site/incompatible-clients which was written just after raising this JIRA, there are some user agents are known to be not compatible with SameSite=None attribute. So, I would like to add a utility class that can detect such incompatible clients and can be used not to send SameSite=None cookie for such clients.