[ofbiz-framework] branch trunk updated: Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new fd1e7f4  Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
fd1e7f4 is described below

commit fd1e7f477b8800a2071bb21a3115c43d31d919d3
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Mar 21 11:55:53 2020 +0100

    Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.
   
    (OFBIZ-11470)
   
    It's better to allow users to change from strict to lax, at least for all
    cookies. Some could want to change it by cookie type. I let the exercise for
    them :)
    See:https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60
---
 framework/security/config/security.properties                     | 4 ++++
 .../main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5a44fe2..b9e0b2e 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -151,3 +151,7 @@ security.internal.sso.enabled=false
 
 # -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
 security.token.key=security.token.key
+
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed  
+SameSiteCookieAttribute=
+
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
index bc96fec..e064332 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
@@ -28,8 +28,12 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.core.HttpHeaders;
 
+import org.apache.ofbiz.base.util.UtilProperties;
+
 
 public class SameSiteFilter implements javax.servlet.Filter {
+    
+    private static final String SameSiteCookieAttribute = UtilProperties.getPropertyValue("security.properties", "SameSiteCookieAttribute", "strict");
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -46,11 +50,11 @@ public class SameSiteFilter implements javax.servlet.Filter {
         boolean firstHeader = true;
         for (String header : headers) { // there can be multiple Set-Cookie attributes
             if (firstHeader) {
-                response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+                response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=" + SameSiteCookieAttribute));
                 firstHeader = false;
                 continue;
             }
-            response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=Strict"));
+            response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, "SameSite=" + SameSiteCookieAttribute));
         }
     }