Commit bc91440b authored by Cédric Le Ninivin's avatar Cédric Le Ninivin Committed by Hanno Schlichting

Add support for optional 'SameSite' cookie attribute

As described in the definition document by the ietf:
https://tools.ietf.org/html/draft-west-first-party-cookies-07

"The 'SameSite' attribute allows servers to assert that a cookie
ought not to be sent along with cross-site requests. This assertion
allows user agents to mitigate the risk of cross-origin information
leakage, and provides some protection against cross-site request
forgery attacks."
parent 740eb601
...@@ -642,6 +642,8 @@ class HTTPBaseResponse(BaseResponse): ...@@ -642,6 +642,8 @@ class HTTPBaseResponse(BaseResponse):
# and block read/write access via JavaScript # and block read/write access via JavaScript
elif name == 'http_only' and v: elif name == 'http_only' and v:
cookie = '%s; HTTPOnly' % cookie cookie = '%s; HTTPOnly' % cookie
elif name == 'same_site' and v:
cookie = '%s; SameSite=%s' % (cookie, v)
cookie_list.append(('Set-Cookie', cookie)) cookie_list.append(('Set-Cookie', cookie))
# Should really check size of cookies here! # Should really check size of cookies here!
......
...@@ -321,6 +321,19 @@ class HTTPResponseTests(unittest.TestCase): ...@@ -321,6 +321,19 @@ class HTTPResponseTests(unittest.TestCase):
self.assertEqual(len(cookie_list), 1) self.assertEqual(len(cookie_list), 1)
self.assertEqual(cookie_list[0], ('Set-Cookie', 'foo="bar"')) self.assertEqual(cookie_list[0], ('Set-Cookie', 'foo="bar"'))
def test_setCookie_w_same_site(self):
response = self._makeOne()
response.setCookie('foo', 'bar', same_site='Strict')
cookie = response.cookies.get('foo', None)
self.assertEqual(len(cookie), 3)
self.assertEqual(cookie.get('value'), 'bar')
self.assertEqual(cookie.get('same_site'), 'Strict')
self.assertEqual(cookie.get('quoted'), True)
cookies = response._cookie_list()
self.assertEqual(len(cookies), 1)
self.assertEqual(cookies[0],
('Set-Cookie', 'foo="bar"; SameSite=Strict'))
def test_setCookie_unquoted(self): def test_setCookie_unquoted(self):
response = self._makeOne() response = self._makeOne()
response.setCookie('foo', 'bar', quoted=False) response.setCookie('foo', 'bar', quoted=False)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment