Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
The standard Authorization-Bearer cookie includes the SameSite attribute in the Set-Cookie response header, but other cookies for CSRF mitigation, logout processing, and external authentication service integration do not apply the attribute when setting cookies.
The Java Servlet Cookie does not support the SameSite attribute, but the NiFi StandardApplicationCookieService uses the Spring Response Cookie Builder, which supports the attribute and is capable of applying it to Set-Cookie headers. Direct use of the Java Servlet Cookie should be replaced with the implementation approach that supports setting the SameSite attribute to avoid warnings in modern browsers. In absence of the SameSite attribute, browsers default to Lax, but this can be changed to Strict in most cases.
Attachments
Issue Links
- links to
