DELTASPIKE-1413 add SameSite=Strict to dsrwid cookie
Sadly had to manually add the SetCookie header as Javas Cookie
class does not have a SameSite attribute.
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java
index 858c1f3..2aed78e 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java
@@ -19,7 +19,6 @@
package org.apache.deltaspike.jsf.impl.util;
import java.io.IOException;
-import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import java.util.logging.Level;
@@ -153,12 +152,16 @@
public static void addRequestWindowIdCookie(FacesContext context, String requestToken, String windowId)
{
- Map<String, Object> properties = new HashMap();
- properties.put("path", "/");
- properties.put("maxAge", 30);
-
- context.getExternalContext().addResponseCookie(
+ /* Sadly doesn't work due to SameSite is not allowed on Java cookies ^^
+ Map<String, Object> properties = new HashMap();
+ properties.put("path", "/");
+ properties.put("maxAge", 30);
+ context.getExternalContext().addResponseCookie(
Cookies.REQUEST_WINDOW_ID_PREFIX + requestToken, windowId, properties);
+ */
+ context.getExternalContext().addResponseHeader("Set-Cookie",
+ Cookies.REQUEST_WINDOW_ID_PREFIX + requestToken + "=" + windowId +
+ "; path=/; maxAge=30; SameSite=Strict");
}
public static Object getRequestWindowIdCookie(FacesContext context, String requestToken)
