[ofbiz-framework] branch trunk updated: Documented: CsrfDefenseStrategy in case of no support for SameSite cookie attribute

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Documented: CsrfDefenseStrategy in case of no support for SameSite cookie attribute

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 16c2d35  Documented: CsrfDefenseStrategy in case of no support for SameSite cookie attribute
16c2d35 is described below

commit 16c2d3521990caf5e8703cbb323ce1146c93b9ce
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Jul 6 15:14:29 2020 +0200

    Documented: CsrfDefenseStrategy in case of no support for SameSite cookie attribute
   
    Use of CsrfDefenseStrategy in case of potential use of a browser version not
    supporting the SameSite cookie attribute
   
    Refer to https://caniuse.com/#feat=same-site-cookie-attribute
---
 framework/security/config/security.properties | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index d3b32d2..bf1d075 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -179,11 +179,15 @@ csrf.tokenName.nonAjax=
 csrf.entity.request.limit=
 
 # -- CSRF defense strategy.
-# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
+# -- Because OOTB OFBiz  also sets the SameSite attribute to 'strict' for all cookies,
 # -- which is an effective CSRF defense,
 # -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
 # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
-# -- if you need to use a 'lax' for SameSiteCookieAttribute
+# -- if you need to use a 'lax' for SameSiteCookieAttribute.
+# --
+# -- Or if you, or your users, use, or may use, a browser version that
+# -- is not supporting the SameSite cookie attribute
+# -- You may refer to https://caniuse.com/#feat=same-site-cookie-attribute
 csrf.defense.strategy=