Commit baca86bf authored by Matija Obreza's avatar Matija Obreza

ATiC: CORS cookie requires SameSite=None and Secure

- See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
parent c358091e
......@@ -39,7 +39,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.filter.OncePerRequestFilter;
import static org.eclipse.jetty.http.HttpCookie.SAME_SITE_STRICT_COMMENT;
import static org.eclipse.jetty.http.HttpCookie.SAME_SITE_NONE_COMMENT;;
/**
* Converts the API cookie to the "Authorization" HTTP request
......@@ -111,12 +111,12 @@ public class AccessTokenInCookieFilter extends OncePerRequestFilter {
if (!tokenCookie.isPresent() || tokenCookie.get().getValue().equals(accessToken)) {
Cookie cookie = new Cookie(tokenCookieName, accessToken);
cookie.setComment(SAME_SITE_STRICT_COMMENT);
cookie.setComment(SAME_SITE_NONE_COMMENT);
cookie.setHttpOnly(true);
cookie.setSecure(cookieSecure);
if (StringUtils.isNotBlank(cookieDomain)) {
cookie.setDomain(cookieDomain);
}
// if (StringUtils.isNotBlank(cookieDomain)) {
// cookie.setDomain(sourceUrl.getHost());
// }
// Only set cookie for /api
cookie.setPath("/api");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment