This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new c3dd26c Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
c3dd26c is described below
commit c3dd26c6ef8a82e3729add9bc295d469149cd4db
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 20 17:50:17 2020 +0100
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
(OFBIZ-11470)
Forgot to add UtilHttp::SameSiteFilter
---
.../ofbiz/webapp/control/SameSiteFilter.java | 61 ++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
new file mode 100644
index 0000000..bc96fec
--- /dev/null
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ *
http://www.apache.org/licenses/LICENSE-2.0+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *******************************************************************************/
+package org.apache.ofbiz.webapp.control;
+import java.io.IOException;
+import java.util.Collection;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.HttpHeaders;
+
+
+public class SameSiteFilter implements javax.servlet.Filter {
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ chain.doFilter(request, response);
+ addSameSiteCookieAttribute((HttpServletResponse) response); // add SameSite=strict cookie attribute
+ }
+
+ public static void addSameSiteCookieAttribute(HttpServletResponse response) {
+ Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE);
+ boolean firstHeader = true;
+ for (String header : headers) { // there can be multiple Set-Cookie attributes
+ if (firstHeader) {
+ response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+ firstHeader = false;
+ continue;
+ }
+ response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+ }
+ }
+
+ @Override
+ public void destroy() {
+
+ }
+}
\ No newline at end of file
Locked
