search

pocoproject / poco

The POCO C++ Libraries are powerful cross-platform C++ libraries for building network- and internet-based applications that run on desktop, server, mobile, IoT, and embedded systems.
https://pocoproject.org
Other
8.47k stars 2.18k forks source link

Add support for SameSite attribute in HTTPCookie #2879

Closed gyee-penguin closed 4 years ago

gyee-penguin commented 4 years ago

Chrome 80 is changing the default value for the SameSite HTTPCookie attribute to Lax on Feb 4, 2020. Currently POCO's HTTPCookie code does not support setting the SameSite attribute (RFC 6265bis https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03). Firefox is heading in this direction too.

https://www.chromestatus.com/feature/5088147346030592

**NOTE: There is currently a bug affecting Mac OSX and iOS which causes SameSite=None cookies to be inadvertently treated as SameSite=Strict and therefore not sent with cross-site requests. (See https://bugs.webkit.org/show_bug.cgi?id=198181) Until this is fixed, SameSite=None may not work properly on Safari.**

Can we add support for the SameSite attribute? There are 3 values for it - None, Lax, and Strict.

I'm not sure what POCO's behavior should be for the Safari case above -- I heard other older browsers suffer the same problem so you'd have to NOT set the cookie instead of setting SameSite=None on those as well.

obiltschnig commented 4 years ago

This is already implemented in the poco-1.10.0 branch which will be released soon.

gyee-penguin commented 4 years ago

Can this be backported to v1.9 please? CentOS 7 distributes with GCC 4.8.5, not GCC 5.