gh-112713 : Add support for 'partitioned' attribute in http.cookies (GH-112714)

* Add support for 'partitioned' attribute in http.cookies Co-authored-by: Giles Copp <gilesc@dropbox.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
2025-07-07 19:35:27 +00:00 · 2025-01-24 17:31:52 -05:00 · 2025-01-24 17:31:52 -05:00 · 9abbb58e3f
commit 9abbb58e3f
parent 3a3a6b86f4
4 changed files with 28 additions and 1 deletions
--- a/Doc/library/http.cookies.rst
+++ b/Doc/library/http.cookies.rst
@ -142,6 +142,7 @@ Morsel Objects
                    version
                    httponly
                    samesite
+                    partitioned

   The attribute :attr:`httponly` specifies that the cookie is only transferred
   in HTTP requests, and is not accessible through JavaScript. This is intended
@ -151,6 +152,19 @@ Morsel Objects
   send the cookie along with cross-site requests. This helps to mitigate CSRF
   attacks. Valid values for this attribute are "Strict" and "Lax".

+   The attribute :attr:`partitioned` indicates to user agents that these
+   cross-site cookies *should* only be available in the same top-level context
+   that the cookie was first set in. For this to be accepted by the user agent,
+   you **must** also set ``Secure``.
+
+   In addition, it is recommended to use the ``__Host`` prefix when setting
+   partitioned cookies to make them bound to the hostname and not the
+   registrable domain. Read
+   `CHIPS (Cookies Having Independent Partitioned State)`_
+   for full details and examples.
+
+   .. _CHIPS (Cookies Having Independent Partitioned State): https://github.com/privacycg/CHIPS/blob/main/README.md
+
   The keys are case-insensitive and their default value is ``''``.

   .. versionchanged:: 3.5
@ -165,6 +179,9 @@ Morsel Objects
   .. versionchanged:: 3.8
      Added support for the :attr:`samesite` attribute.

+   .. versionchanged:: 3.14
+      Added support for the :attr:`partitioned` attribute.
+

 .. attribute:: Morsel.value

--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@ -264,11 +264,12 @@ class Morsel(dict):
        "httponly" : "HttpOnly",
        "version"  : "Version",
        "samesite" : "SameSite",
+        "partitioned": "Partitioned",
    }

    _reserved_defaults = dict.fromkeys(_reserved, "")

-    _flags = {'secure', 'httponly'}
+    _flags = {'secure', 'httponly', 'partitioned'}

    def __init__(self):
        # Set defaults
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@ -205,6 +205,14 @@ class CookieTests(unittest.TestCase):
        self.assertEqual(C.output(),
            'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')

+    def test_set_secure_httponly_partitioned_attrs(self):
+        C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
+        C['Customer']['secure'] = True
+        C['Customer']['httponly'] = True
+        C['Customer']['partitioned'] = True
+        self.assertEqual(C.output(),
+            'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Partitioned; Secure')
+
    def test_samesite_attrs(self):
        samesite_values = ['Strict', 'Lax', 'strict', 'lax']
        for val in samesite_values:
--- a/Misc/NEWS.d/next/Core_and_Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst
@ -0,0 +1 @@
+Added support for the ``Partitioned`` cookie flag in :mod:`http.cookies`.
				`@ -0,0 +1 @@`
				Added support for the ``Partitioned`` cookie flag in :mod:`http.cookies`.