bpo-29613: Added support for SameSite cookies (GH-6413) · python/cpython@c87eb09 (original) (raw)

5 files changed

lines changed

Original file line number Diff line number Diff line change
@@ -137,11 +137,16 @@ Morsel Objects
137 137 * ``secure``
138 138 * ``version``
139 139 * ``httponly``
140 + * ``samesite``
140 141
141 142 The attribute :attr:`httponly` specifies that the cookie is only transferred
142 143 in HTTP requests, and is not accessible through JavaScript. This is intended
143 144 to mitigate some forms of cross-site scripting.
144 145
146 + The attribute :attr:`samesite` specifies that the browser is not allowed to
147 + send the cookie along with cross-site requests. This helps to mitigate CSRF
148 + attacks. Valid values for this attribute are "Strict" and "Lax".
149 +
145 150 The keys are case-insensitive and their default value is ``''``.
146 151
147 152 .. versionchanged:: 3.5
@@ -153,6 +158,9 @@ Morsel Objects
153 158 :attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for
154 159 setting them.
155 160
161 + .. versionchanged:: 3.8
162 + Added support for the :attr:`samesite` attribute.
163 +
156 164
157 165 .. attribute:: Morsel.value
158 166
Original file line number Diff line number Diff line change
@@ -281,6 +281,7 @@ class Morsel(dict):
281 281 "secure" : "Secure",
282 282 "httponly" : "HttpOnly",
283 283 "version" : "Version",
284 +"samesite" : "SameSite",
284 285 }
285 286
286 287 _flags = {'secure', 'httponly'}
Original file line number Diff line number Diff line change
@@ -121,6 +121,19 @@ def test_set_secure_httponly_attrs(self):
121 121 self.assertEqual(C.output(),
122 122 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')
123 123
124 +def test_samesite_attrs(self):
125 +samesite_values = ['Strict', 'Lax', 'strict', 'lax']
126 +for val in samesite_values:
127 +with self.subTest(val=val):
128 +C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
129 +C['Customer']['samesite'] = val
130 +self.assertEqual(C.output(),
131 +'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)
132 +
133 +C = cookies.SimpleCookie()
134 +C.load('Customer="WILL_E_COYOTE"; SameSite=%s' % val)
135 +self.assertEqual(C['Customer']['samesite'], val)
136 +
124 137 def test_secure_httponly_false_if_not_present(self):
125 138 C = cookies.SimpleCookie()
126 139 C.load('eggs=scrambled; Path=/bacon')
Original file line number Diff line number Diff line change
@@ -1461,6 +1461,7 @@ Varun Sharma
1461 1461 Daniel Shaulov
1462 1462 Vlad Shcherbina
1463 1463 Justin Sheehy
1464 +Akash Shende
1464 1465 Charlie Shepherd
1465 1466 Bruce Sherwood
1466 1467 Alexander Shigin
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
1 +Added support for the ``SameSite`` cookie flag to the ``http.cookies``
2 +module.