Faces 4.0: add support for SameSite attribute in ExternalContext#addResponseCookie() properties

[BalusC]

It's most likely going to be added to Servlet 5.1:

• https://github.com/eclipse-ee4j/servlet-api/pull/271/files
• SameSite Cookie Support servlet#175

[melloware]

Finally! I am bummed this never made it in before right now I use an Undertow hack to put the SameSite on all my Session cookies.

[BalusC]

It looks like Cookie#setAttribute() has more chance: jakartaee/servlet#401

[BalusC]

That has been merged 🎉 Unfortunately not 100% futureproof but better than nothing.

We'll now have to wait for some sort of 5.1.0-M1 before we can catch up ExternalContext#addResponseCookie().

@gregw any plans for a M1?

[BalusC]

Looks like next servlet version is going to be 6.0 instead of 5.1.

However, there's still no M1 or alike in Maven which could be used to compile against.

@arjantijms can you please kick off it? The deadline is otherwise going to be tight.

[tandraschko]

@BalusC @arjantijms
Cant you use a SNAPSHOT in meantime?
thats really a important thing for Faces 4.0 IMO

[BalusC]

Oh crap. Servlet API is holding up all its dependent APIs again. @arjantijms you have admin privileges on servlet project as well, can you please nonetheless kick off a sort of M1 in Maven? Then we can move forward.

[BalusC]

I went a step further: I've specified that "any custom attribute" is supported. This way it's more future-proof.

[melloware]

I think that is a great idea

[tandraschko]

implemented in both mojarra and myfaces
can we close?

[arjantijms]

implemented in both mojarra and myfaces

That was a long journey, but finally! :)

[tandraschko]

@BalusC @arjantijms how should JSF internal cookies like flash use SameSite?

[BalusC]

Ideally inherit it from JSESSIONID config. Since Servlet 6.0 it's possible to configure as follows:

<session-config>
    <cookie-config>
        <attribute>
            <attribute-name>SameSite</attribute-name>
            <attribute-value>NONE</attribute-value>
        </attribute>
    </cookie-config>
</session-config>

And to obtain as follows:

String sameSite = servletContext.getSessionCookieConfig().getAttribute("SameSite");

See also https://www.eclipse.org/lists/servlet-dev/msg00410.html

[tandraschko]

CC @melloware

[melloware]

This is slick!

However, I am hesitant to do this because what do we do if they are using stateless views or completely stateless JSF?? They can still use FlashScope and PF Download cookies right without a Session?

[tandraschko]

yeah but either:

1. we use the same config as for the session, if created, like balusc posted above; doesnt matter if a session exists or not for this request
2. we specify a default for flash cookie
3. we create a config flag

i think a mix of 1) and 2) is enough actually - at least in servlet 6

[melloware]

OK MyFaces PR submitted.

[codylerum]

@BalusC I'm not seeing the following being as valid due to cookie-config not supporting the attribute tag.

Am I missing something obvious here, or did this not make it into the spec.

<web-app version="6.0" xmlns="https://jakarta.ee/xml/ns/jakartaee"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd">

<session-config>
		<session-timeout>15</session-timeout>
		<tracking-mode>COOKIE</tracking-mode>
		<cookie-config>
			<attribute>
				<attribute-name>SameSite</attribute-name>
				<attribute-value>Strict</attribute-value>
			</attribute>
		</cookie-config>
	</session-config>
</web-app>

[BalusC]

Works for me in Tomcat 10.1.

If you're referring to IDE validation, report issue at maintainers of IDE.
If you're referring to Servlet impl, report issue at maintainers of Servlet impl.

This isn't the responsiblity of Faces spec.