Chrome 80 changed the way it handles cookies that do not set a SameSite attribute. More information: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html . While this change does not break anything, it does generate warnings in the developer console because the SameSite attribute is missing.
It is currently not possible to specify a SameSite value on the CookieCsrfTokenRepository. The underlying problem is that the Cookie class in the Java Servlets API does not support the SameSite attribute. Should we check for an alternative? Or wait until the Servlets API adds support for SameSite?
Comment From: eleftherias
At this time, you can use Spring Session to set the SameSite attribute on the session cookie.
More information on that can be found in the Spring Session documentation.
Comment From: ddevrien
hi @eleftherias , we are indeed using a custom cookieSerializer to set the SameSite attribute for session cookies, but that does not make it possible to set the attribute for the XSRF-TOKEN cookie.
Comment From: eleftherias
Thanks for the clarification @ddevrien. Would gh-7537 cover your use case?
Comment From: ddevrien
Yes, that's exactly the feature we'd like to see added. Shall I close this issue then?
Comment From: eleftherias
@ddevrien Yes, please feel free to close this issue.
Comment From: svschouw-bb
Should this ticket be reopened? Since @rwinch closed #7537 because that was more about replacing CSRF with SameSite, which was a "Won't Do". But I think many people actually want (or need) this ticket. The only reason this ticket was closed was because it seemed to be a duplicate of #7537? Which it isn't.
Edit: #11913 is the more recent version.