SameSite cookie attribute

Chris Hegarty chris.hegarty at oracle.com
Thu Nov 21 17:44:39 UTC 2019


Simone,

> On 19 Nov 2019, at 20:28, Simone Bordet <simone.bordet at gmail.com> wrote:
> 
> Hi,
> 
> Google Chrome is about to support a new attribute called `SameSite` in cookies.
> https://blog.chromium.org/2019/10/developers-get-ready-for-new.html.
> I guess other browsers will soon follow.
> 
> The specification
> (https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) is
> still in draft, but Chrome 80 (currently unstable) already support the
> SameSite attribute and issues a warning when not present.

SameSite support seems like it could be important.

> On the Servlet APIs side, this is being worked on at
> https://github.com/eclipse-ee4j/servlet-api/issues/175.
> 
> Currently JDK cookie classes do not support (obviously) this new
> attribute, but I wanted to start a discussion to support this in Java
> 11's HttpClient and in java.net.[HttpCookie|CookieManager|CookieStore]
> classes, possibly with backport to Java 11.
> 
> Would be great if the current Java cookie classes can be "refreshed"
> to support the new cookie RFCs, namely 6265 and 6265bis.

I’m still doing some background reading, but it seems at the very minimum that the less-than-fresh java.net.HttpCookie would need to know about, and support, the SameSite attribute. Currently attributes are modelled through a pair of explicit per-attribute mutators and accessors, so ( following that style ) SameSite would need a new pair of these. ( maybe a more general modelling of attributes is needed? )  Without a general modelling of attributes, and without SameSite being published as part of an RFC, then I’d be reluctant to bake SameSite into the Java SE Specification ( as a pair of mutators and accessors methods ).

Maybe I’m missing your point or making an incorrect assumption ( I’m still digesting some of this material )?

-Chris. 


More information about the net-dev mailing list