- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18) - use "-samesite strict" per default on…
Show more
- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)- use "-samesite strict" per default on signed cookiesBackground from NaviServer commit:ns_setcookie: add flag "-samesite" with values "strict|lax|none"When the flag is set it prevents the browser fromsending this cookie along with cross-site requests to mitigate cross sitescripting attacks. Permissible values are [term strict], [term lax],or [term none] (default). While the value [term strict] preventssending the cookie to the target site in all cross-site browsingcontext, the value of [term lax] allows sending the cookie when theuser clicks on regular links. For details, seehttps://www.owasp.org/index.php/SameSiteThis cookie flag is not yet part of an RFC, but most major browserssupport it. Browsers that do not support it, ignore the flagsilently (see https://caniuse.com/#search=samesite).Although most cookies should probably use the flags, in order toprovide backward compatibility, the flag can't be activated bydefault on all cookies.
Show less
