Skip to content

bpo-29613: Added support for SameSite cookies #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 8 commits into from
Closed

bpo-29613: Added support for SameSite cookies #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ef83909
bpo-29613: Added support for SameSite cookies
akash0x53 Feb 21, 2017
c8bc135
Documented SameSite
akash0x53 Feb 21, 2017
c064da4
Missing space :(
akash0x53 Feb 21, 2017
364ea46
Updated News and contributors
akash0x53 Feb 21, 2017
c3890a2
Added version changed details.
akash0x53 Feb 22, 2017
6ed3f3f
Fix in documentation
akash0x53 Feb 22, 2017
aa54e50
fix in documentation
akash0x53 Feb 22, 2017
a6cbc20
Clubbed test cases for same attribute into single.
akash0x53 Feb 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions Doc/library/http.cookies.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,17 @@ Morsel Objects
* ``secure``
* ``version``
* ``httponly``
* ``samesite``

The attribute :attr:`httponly` specifies that the cookie is only transferred
in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think "The samesite attribute" is better English (not sure if the pattern from the previous paragraph is commonly used).
"the browser" (add "the")

cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This helps

values for this attribute are "Strict" and "Lax".
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the meaning of these values?
Are invalid values rejected? I don't see any code/tests for that.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Explaining the values would be out of scope of the Python documentation. I think invalid values should be accepted, after all its browser's job to discard invalid values. Suppose, in future they proposed or added another value for SameSite then we need to make space for that too. By the way i'm not sure about this, let the member decide.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tim is correct that we need to add a test for invalid values. However, we need to decide on what we should do with invalid values first. I don't have time to do a research at the moment, but just a note that Firefox doesn't implement SameSite support yet: https://bugzilla.mozilla.org/show_bug.cgi?id=795346

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. However, chrome implemented SamSite. Right now only Chrome implemented this. https://bugs.chromium.org/p/chromium/issues/detail?id=459154
I checked the test cases they wrote for the same, i didn't find test cases for invalid values.
https://chromium.googlesource.com/chromium/src/+/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/canonical_cookie_unittest.cc#86

I messed with this branch :( Should I open new PR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should be able to fix the branch by rebasing and force pushing.


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add below this line:

   .. versionchanged:: 3.7
      Added support for :attr:`samesite` attribute.

Thanks @alex for the clarification about this :)


The keys are case-insensitive and their default value is ``''``.

.. versionchanged:: 3.5
Expand All @@ -153,6 +159,9 @@ Morsel Objects
:attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for
setting them.

.. versionchanged:: 3.7
Added support for :attr:`samesite` attribute.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the



.. attribute:: Morsel.value

Expand Down
1 change: 1 addition & 0 deletions Lib/http/cookies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,7 @@ class Morsel(dict):
"secure" : "Secure",
"httponly" : "HttpOnly",
"version" : "Version",
"samesite" : "SameSite",
}

_flags = {'secure', 'httponly'}
Expand Down
9 changes: 9 additions & 0 deletions Lib/test/test_http_cookies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,15 @@ def test_set_secure_httponly_attrs(self):
self.assertEqual(C.output(),
'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')

def test_samesite_attrs(self):
samesite_values = ("Strict", "Lax")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use single quotes for consistency?

for val in samesite_values:
with self.subTest(val=val):
C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
C['Customer']['samesite'] = val
self.assertEqual(C.output(),
'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation missing

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Negative. It just an illusion i guess. Perfectly showing in my vim.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What Tim meant was that the second argument needs to be indented, like:

self.assertEqual(C.output(),
                 'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)

or even better:

expected = f'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite={val}'
self.assertEqual(C.output(), expected)


def test_secure_httponly_false_if_not_present(self):
C = cookies.SimpleCookie()
C.load('eggs=scrambled; Path=/bacon')
Expand Down
1 change: 1 addition & 0 deletions Misc/ACKS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1396,6 +1396,7 @@ Varun Sharma
Daniel Shaulov
Vlad Shcherbina
Justin Sheehy
Akash Shende
Charlie Shepherd
Bruce Sherwood
Alexander Shigin
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,8 @@ Library
- Issue #16285: urrlib.parse.quote is now based on RFC 3986 and hence includes
'~' in the set of characters that is not quoted by default. Patch by
Christian Theune and Ratnadeep Debnath.
- bpo-29613: http.cookies.Morsel now supports SameSite cookies.
Patch by Akash Shende.

- bpo-29532: Altering a kwarg dictionary passed to functools.partial()
no longer affects a partial object after creation.
Expand Down