Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[feature request] add support for SameSite cookie attribute

See original GitHub issue

Expected Behavior

Modern browsers support a new attribute SameSite on cookies, to mitigate CSRF attacks. From https://tools.ietf.org/html/draft-west-first-party-cookies-07

This document updates RFC6265 by defining a “SameSite” attribute which allows servers to assert that a cookie ought not to be sent along with cross-site requests. This assertion allows user agents to mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.

It is enabled by default in Chrome 51, and has public support from Firefox: https://www.chromestatus.com/feature/4672634709082112

I should be able to set the SameSite attribues (either SameSite, SameSite=lax or SameSite=strict) on netty cookies.

Actual behavior

There are no getters/setters for this attribute defined here: https://github.com/netty/netty/blob/4.1/codec-http/src/main/java/io/netty/handler/codec/http/cookie/Cookie.java

Attempting to set this attribute in the value of the cookie results in it being (correctly) escaped.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
AlexLaviolettecommented, Jan 9, 2018

Any update on this? More relevant now with the disclosure of spectre/meltdown

1reaction
slandellecommented, Mar 7, 2017

Not a maintainer either, but I know the answer for sure: Cookie is an API, and it’s not possible to break it until next major release. I’m not aware of any ETA for that, but it should give ample time so see if this draft becomes popular and decide to support if if so.

Read more comments on GitHub >

github_iconTop Results From Across the Web

SameSite cookies - HTTP - MDN Web Docs
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers. The SameSite attribute of the ...
Read more >
SameSite cookies explained - web.dev
Learn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by ...
Read more >
SameSite Cookie Attribute Changes - Auth0
You can add SameSite cookie attributes in the set-cookie HTTP response header to restricts browser behavior. It may prevent the browser from sending...
Read more >
[WFLY-13003] Support the SameSite cookie attribute - Red Hat
Activity · Add support for the SameSite=None attribute · Add SameSiteCookieHandler that can set the SameSite attribute on all cookies or the cookie...
Read more >
SameSite cookie attribute - Teams - Microsoft Learn
You can opt out of adding the SameSite cookie attribute to the SetCookie header or add it with one of two settings, Lax...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Bootstrap a EmbeddedChannel failed

Next page

SSL_read failed: OpenSSL error