This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release17.12 by this push:
new 1617226 Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
1617226 is described below
commit 16172268977aae2c43f8535d1421fb735d1ccb6d
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Sat Mar 21 11:55:53 2020 +0100
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
(OFBIZ-11470)
It's better to allow users to change from strict to lax, at least for all
cookies. Some could want to change it by cookie type. I let the exercise for
them :)
See:
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60
Conflicts handled by hand
framework/security/config/security.properties
---
framework/security/config/security.properties | 4 ++++
.../main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java | 8 ++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index fd70f07..5b809ff 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -134,3 +134,7 @@ security.login.externalLoginKey.enabled=true
# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
login.secret_key_string=Secret Key
+
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed
+SameSiteCookieAttribute=
+
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
index bc96fec..e064332 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
@@ -28,8 +28,12 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
+import org.apache.ofbiz.base.util.UtilProperties;
+
public class SameSiteFilter implements javax.servlet.Filter {
+
+ private static final String SameSiteCookieAttribute = UtilProperties.getPropertyValue("security.properties", "SameSiteCookieAttribute", "strict");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -46,11 +50,11 @@ public class SameSiteFilter implements javax.servlet.Filter {
boolean firstHeader = true;
for (String header : headers) { // there can be multiple Set-Cookie attributes
if (firstHeader) {
- response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+ response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=" + SameSiteCookieAttribute));
firstHeader = false;
continue;
}
- response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+ response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=" + SameSiteCookieAttribute));
}
}
Locked
