This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 866c742e8fb8f10d71571e8bc5c54bca70de599c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Mar 21 11:55:53 2020 +0100
Fixed: Ensure that the SameSite attribute is set to 'strict' for all
cookies.
(OFBIZ-11470)
It's better to allow users to change from strict to lax, at least for all
cookies. Some could want to change it by cookie type. I let the exercise for
them :)
See:https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60
---
framework/security/config/security.properties | 4 ++++
.../main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java | 8 ++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 55c2b6a..9f206d5 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -152,6 +152,10 @@ security.internal.sso.enabled=false
# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON
Web Tokens) usage documentation to choose the way you want to store this key
security.token.key=security.token.key
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to
change it ot lax if needed
+SameSiteCookieAttribute=
+
+
# -- The cache size for the Tokens Maps that stores the CSRF tokens.
# -- RemoveEldestEntry is used when it's get above csrf.cache.size
# -- Default is 5000
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
index bc96fec..e064332 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/SameSiteFilter.java
@@ -28,8 +28,12 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
+import org.apache.ofbiz.base.util.UtilProperties;
+
public class SameSiteFilter implements javax.servlet.Filter {
+
+ private static final String SameSiteCookieAttribute =
UtilProperties.getPropertyValue("security.properties",
"SameSiteCookieAttribute", "strict");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -46,11 +50,11 @@ public class SameSiteFilter implements javax.servlet.Filter
{
boolean firstHeader = true;
for (String header : headers) { // there can be multiple Set-Cookie
attributes
if (firstHeader) {
- response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s;
%s", header, "SameSite=Strict"));
+ response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s;
%s", header, "SameSite=" + SameSiteCookieAttribute));
firstHeader = false;
continue;
}
- response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s",
header, "SameSite=Strict"));
+ response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s",
header, "SameSite=" + SameSiteCookieAttribute));
}
}
