Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SHIRO-793] deleteMe cookie should use the defined "sameSite" #257

Merged
merged 1 commit into from
Oct 17, 2020
Merged

[SHIRO-793] deleteMe cookie should use the defined "sameSite" #257

merged 1 commit into from
Oct 17, 2020

Conversation

FredTreg
Copy link
Contributor

@FredTreg FredTreg commented Oct 1, 2020
edited
Loading

With Chrome increasing security of cookies not defining any SameSite options, the deleteMe cookie may be blocked by Chrome under some circumstances.
For example, when an app is used within a cross-site iframe, one must defined the option SameSite=None option. This works for the main cookie, but the deleteMe is currently blocked. This commit fixes this.

Following this checklist to help us incorporate your contribution quickly and easily:

  • Make sure there is a JIRA issue filed
    for the change (usually before you start working on it). Trivial changes like typos do not
    require a JIRA issue. Your pull request should address just this issue, without pulling in other changes.
  • Each commit in the pull request should have a meaningful subject line and body.
  • Format the pull request title like [SHIRO-XXX] - Fixes bug in SessionManager,
    where you replace SHIRO-XXX with the appropriate JIRA issue. Best practice
    is to use the JIRA issue title in the pull request title and in the first line of the commit message.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Run mvn clean install apache-rat:check to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
  • If you have a group of commits related to the same change, please squash your commits into one and force push your branch using git rebase -i.

Trivial changes like typos do not require a JIRA issue (javadoc, comments...).
In this case, just format the pull request title like (DOC) - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.
@FredTreg
deleteMe cookie should use the defined "sameSite"
c5e8075 
With Chrome increasing security of cookies not defining any SameSite options, the deleteMe cookie may be blocked by Chrome under some circumstances.
For example, when an app is used within a cross-site iframe, one must defined the option SameSite=None option. This works for the main cookie, but the deleteMe is currently blocked. This commit fixes this.
@bmarwell
Copy link
Contributor

bmarwell commented Oct 2, 2020

Thanks!

Can you please describe in a few words what the possible impacts are if not merging this commit?
@bdemers bdemers changed the title deleteMe cookie should use the defined "sameSite" Oct 17, 2020
@bdemers bdemers merged commit c632a62 into apache:master Oct 17, 2020
@bdemers
Copy link
Member

bdemers commented Oct 17, 2020

Merged to 1.6.x as well
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@FredTreg @bmarwell @bdemers