bpo-29613: Added support for SameSite cookies (GH-6413) · python/cpython@c87eb09 (original) (raw)
5 files changed
lines changed
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -137,11 +137,16 @@ Morsel Objects | ||
137 | 137 | * ``secure`` |
138 | 138 | * ``version`` |
139 | 139 | * ``httponly`` |
140 | + * ``samesite`` | |
140 | 141 | |
141 | 142 | The attribute :attr:`httponly` specifies that the cookie is only transferred |
142 | 143 | in HTTP requests, and is not accessible through JavaScript. This is intended |
143 | 144 | to mitigate some forms of cross-site scripting. |
144 | 145 | |
146 | + The attribute :attr:`samesite` specifies that the browser is not allowed to | |
147 | + send the cookie along with cross-site requests. This helps to mitigate CSRF | |
148 | + attacks. Valid values for this attribute are "Strict" and "Lax". | |
149 | + | |
145 | 150 | The keys are case-insensitive and their default value is ``''``. |
146 | 151 | |
147 | 152 | .. versionchanged:: 3.5 |
@@ -153,6 +158,9 @@ Morsel Objects | ||
153 | 158 | :attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for |
154 | 159 | setting them. |
155 | 160 | |
161 | + .. versionchanged:: 3.8 | |
162 | + Added support for the :attr:`samesite` attribute. | |
163 | + | |
156 | 164 | |
157 | 165 | .. attribute:: Morsel.value |
158 | 166 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -281,6 +281,7 @@ class Morsel(dict): | ||
281 | 281 | "secure" : "Secure", |
282 | 282 | "httponly" : "HttpOnly", |
283 | 283 | "version" : "Version", |
284 | +"samesite" : "SameSite", | |
284 | 285 | } |
285 | 286 | |
286 | 287 | _flags = {'secure', 'httponly'} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -121,6 +121,19 @@ def test_set_secure_httponly_attrs(self): | ||
121 | 121 | self.assertEqual(C.output(), |
122 | 122 | 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure') |
123 | 123 | |
124 | +def test_samesite_attrs(self): | |
125 | +samesite_values = ['Strict', 'Lax', 'strict', 'lax'] | |
126 | +for val in samesite_values: | |
127 | +with self.subTest(val=val): | |
128 | +C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"') | |
129 | +C['Customer']['samesite'] = val | |
130 | +self.assertEqual(C.output(), | |
131 | +'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val) | |
132 | + | |
133 | +C = cookies.SimpleCookie() | |
134 | +C.load('Customer="WILL_E_COYOTE"; SameSite=%s' % val) | |
135 | +self.assertEqual(C['Customer']['samesite'], val) | |
136 | + | |
124 | 137 | def test_secure_httponly_false_if_not_present(self): |
125 | 138 | C = cookies.SimpleCookie() |
126 | 139 | C.load('eggs=scrambled; Path=/bacon') |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1461,6 +1461,7 @@ Varun Sharma | ||
1461 | 1461 | Daniel Shaulov |
1462 | 1462 | Vlad Shcherbina |
1463 | 1463 | Justin Sheehy |
1464 | +Akash Shende | |
1464 | 1465 | Charlie Shepherd |
1465 | 1466 | Bruce Sherwood |
1466 | 1467 | Alexander Shigin |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
1 | +Added support for the ``SameSite`` cookie flag to the ``http.cookies`` | |
2 | +module. |