This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 16c2d35 Documented: CsrfDefenseStrategy in case of no support for
SameSite cookie attribute
16c2d35 is described below
commit 16c2d3521990caf5e8703cbb323ce1146c93b9ce
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Jul 6 15:14:29 2020 +0200
Documented: CsrfDefenseStrategy in case of no support for SameSite cookie
attribute
Use of CsrfDefenseStrategy in case of potential use of a browser version not
supporting the SameSite cookie attribute
Refer to https://caniuse.com/#feat=same-site-cookie-attribute
---
framework/security/config/security.properties | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index d3b32d2..bf1d075 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -179,11 +179,15 @@ csrf.tokenName.nonAjax=
csrf.entity.request.limit=
# -- CSRF defense strategy.
-# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all
cookies,
+# -- Because OOTB OFBiz also sets the SameSite attribute to 'strict' for all
cookies,
# -- which is an effective CSRF defense,
# -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not
specified.
# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
-# -- if you need to use a 'lax' for SameSiteCookieAttribute
+# -- if you need to use a 'lax' for SameSiteCookieAttribute.
+# --
+# -- Or if you, or your users, use, or may use, a browser version that
+# -- is not supporting the SameSite cookie attribute
+# -- You may refer to https://caniuse.com/#feat=same-site-cookie-attribute
csrf.defense.strategy=
