SameSite cookie attribute

Simone Bordet simone.bordet at gmail.com
Tue Nov 19 20:28:44 UTC 2019


Hi,

Google Chrome is about to support a new attribute called `SameSite` in cookies.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html.
I guess other browsers will soon follow.

The specification
(https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) is
still in draft, but Chrome 80 (currently unstable) already support the
SameSite attribute and issues a warning when not present.

On the Servlet APIs side, this is being worked on at
https://github.com/eclipse-ee4j/servlet-api/issues/175.

Currently JDK cookie classes do not support (obviously) this new
attribute, but I wanted to start a discussion to support this in Java
11's HttpClient and in java.net.[HttpCookie|CookieManager|CookieStore]
classes, possibly with backport to Java 11.

Would be great if the current Java cookie classes can be "refreshed"
to support the new cookie RFCs, namely 6265 and 6265bis.

Thanks!

-- 
Simone Bordet
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz


More information about the net-dev mailing list