bpo-29613: Added support for SameSite cookies (GH-6413) · python/cpython@c87eb09 (original) (raw)
5 files changed
lines changed
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -137,11 +137,16 @@ Morsel Objects | ||
| 137 | 137 | * ``secure`` |
| 138 | 138 | * ``version`` |
| 139 | 139 | * ``httponly`` |
| 140 | + * ``samesite`` | |
| 140 | 141 | |
| 141 | 142 | The attribute :attr:`httponly` specifies that the cookie is only transferred |
| 142 | 143 | in HTTP requests, and is not accessible through JavaScript. This is intended |
| 143 | 144 | to mitigate some forms of cross-site scripting. |
| 144 | 145 | |
| 146 | + The attribute :attr:`samesite` specifies that the browser is not allowed to | |
| 147 | + send the cookie along with cross-site requests. This helps to mitigate CSRF | |
| 148 | + attacks. Valid values for this attribute are "Strict" and "Lax". | |
| 149 | + | |
| 145 | 150 | The keys are case-insensitive and their default value is ``''``. |
| 146 | 151 | |
| 147 | 152 | .. versionchanged:: 3.5 |
| @@ -153,6 +158,9 @@ Morsel Objects | ||
| 153 | 158 | :attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for |
| 154 | 159 | setting them. |
| 155 | 160 | |
| 161 | + .. versionchanged:: 3.8 | |
| 162 | + Added support for the :attr:`samesite` attribute. | |
| 163 | + | |
| 156 | 164 | |
| 157 | 165 | .. attribute:: Morsel.value |
| 158 | 166 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -281,6 +281,7 @@ class Morsel(dict): | ||
| 281 | 281 | "secure" : "Secure", |
| 282 | 282 | "httponly" : "HttpOnly", |
| 283 | 283 | "version" : "Version", |
| 284 | +"samesite" : "SameSite", | |
| 284 | 285 | } |
| 285 | 286 | |
| 286 | 287 | _flags = {'secure', 'httponly'} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -121,6 +121,19 @@ def test_set_secure_httponly_attrs(self): | ||
| 121 | 121 | self.assertEqual(C.output(), |
| 122 | 122 | 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure') |
| 123 | 123 | |
| 124 | +def test_samesite_attrs(self): | |
| 125 | +samesite_values = ['Strict', 'Lax', 'strict', 'lax'] | |
| 126 | +for val in samesite_values: | |
| 127 | +with self.subTest(val=val): | |
| 128 | +C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"') | |
| 129 | +C['Customer']['samesite'] = val | |
| 130 | +self.assertEqual(C.output(), | |
| 131 | +'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val) | |
| 132 | + | |
| 133 | +C = cookies.SimpleCookie() | |
| 134 | +C.load('Customer="WILL_E_COYOTE"; SameSite=%s' % val) | |
| 135 | +self.assertEqual(C['Customer']['samesite'], val) | |
| 136 | + | |
| 124 | 137 | def test_secure_httponly_false_if_not_present(self): |
| 125 | 138 | C = cookies.SimpleCookie() |
| 126 | 139 | C.load('eggs=scrambled; Path=/bacon') |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1461,6 +1461,7 @@ Varun Sharma | ||
| 1461 | 1461 | Daniel Shaulov |
| 1462 | 1462 | Vlad Shcherbina |
| 1463 | 1463 | Justin Sheehy |
| 1464 | +Akash Shende | |
| 1464 | 1465 | Charlie Shepherd |
| 1465 | 1466 | Bruce Sherwood |
| 1466 | 1467 | Alexander Shigin |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| 1 | +Added support for the ``SameSite`` cookie flag to the ``http.cookies`` | |
| 2 | +module. |