This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new fd1e7f4 Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
fd1e7f4 is described below
commit fd1e7f477b8800a2071bb21a3115c43d31d919d3
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Sat Mar 21 11:55:53 2020 +0100
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
(OFBIZ-11470)
It's better to allow users to change from strict to lax, at least for all
cookies. Some could want to change it by cookie type. I let the exercise for
them :)
See:
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60---
framework/security/config/security.properties | 4 ++++
.../main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java | 8 ++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5a44fe2..b9e0b2e 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -151,3 +151,7 @@ security.internal.sso.enabled=false
# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
security.token.key=security.token.key
+
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed
+SameSiteCookieAttribute=
+
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
index bc96fec..e064332 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
@@ -28,8 +28,12 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
+import org.apache.ofbiz.base.util.UtilProperties;
+
public class SameSiteFilter implements javax.servlet.Filter {
+
+ private static final String SameSiteCookieAttribute = UtilProperties.getPropertyValue("security.properties", "SameSiteCookieAttribute", "strict");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -46,11 +50,11 @@ public class SameSiteFilter implements javax.servlet.Filter {
boolean firstHeader = true;
for (String header : headers) { // there can be multiple Set-Cookie attributes
if (firstHeader) {
- response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+ response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=" + SameSiteCookieAttribute));
firstHeader = false;
continue;
}
- response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+ response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=" + SameSiteCookieAttribute));
}
}
Locked
