[DELTASPIKE-1413] dsrwid cookie should not be set to sameSite="None" - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.9.5
Component/s: None
Security Level: public (Regular issues)
Labels:
None

Description

Currently the dsrwid cookie set by the lazy window handler is set to secure=false and sameSite=None.

This combination will not be allowed by Firefox in the future. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

Instead sameSite should be set to "lax", which is default in modern browsers.

Attachments

Activity

People

Assignee:: Mark Struberg

Reporter:: Matthias Walliczek

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 15/Jul/20 14:08

Updated:: 05/Mar/21 21:37

Resolved:: 05/Mar/21 21:37