Skip to content

bpo-29613: Added support for SameSite cookies #6413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 7, 2018
Merged

bpo-29613: Added support for SameSite cookies #6413

merged 11 commits into from
Apr 7, 2018

Conversation

alex
Copy link
Member

@alex alex commented Apr 7, 2018
edited by bedevere-bot
Loading

This is a rebase of #214.

Closes #214

https://bugs.python.org/issue29613

@alex alex requested a review from dstufft April 7, 2018 17:58
@alex alex mentioned this pull request Apr 7, 2018
Closed
timgraham
timgraham reviewed Apr 7, 2018
View reviewed changes
Doc/library/http.cookies.rst Outdated
@@ -153,6 +159,9 @@ Morsel Objects
:attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for
setting them.

.. versionchanged:: 3.8
Added support for :attr:`samesite` attribute.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the

Doc/library/http.cookies.rst Outdated

The attribute :attr:`httponly` specifies that the cookie is only transferred
in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"the browser"

Doc/library/http.cookies.rst Outdated

The attribute :attr:`httponly` specifies that the cookie is only transferred
in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

help -> helps

Lib/test/test_http_cookies.py Outdated
@@ -121,6 +121,19 @@ def test_set_secure_httponly_attrs(self):
self.assertEqual(C.output(),
'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')

def test_samesite_attrs(self):
samesite_values = ['Strict', 'Lax']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might add tests for 'strict' and 'lax' as the values are case-insensitive from what I read.

@alex
Copy link
Member Author

alex commented Apr 7, 2018

Thanks! Feedback addressed

@alex alex merged commit c87eb09 into python:master Apr 7, 2018
@alex alex deleted the samesite-cookies branch April 7, 2018 20:09
@alex
Copy link
Member Author

alex commented Apr 7, 2018

@akash0x53 I would encourage you to apply for a Google Patch Reward for your work on this: https://www.google.com/about/appsecurity/patch-rewards/

@Changaco Changaco mentioned this pull request Jun 5, 2018
Merged
@minrk minrk mentioned this pull request Jan 18, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timgraham timgraham timgraham left review comments

@dstufft dstufft dstufft approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@alex @dstufft @timgraham @the-knights-who-say-ni @bedevere-bot @akash0x53