mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-09 16:34:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 17

bpo-29613: Added support for SameSite cookies (GH-6413)

Browse source 
* bpo-29613: Added support for SameSite cookies

Implemented as per draft
https://tools.ietf.org/html/draft-west-first-party-cookies-07

* Documented SameSite

And suggestions by members.

* Missing space :(

* Updated News and contributors

* Added version changed details.

* Fix in documentation

* fix in documentation

* Clubbed test cases for same attribute into single.

* Updates

* Style nits + expand tests

* review feedback
This commit is contained in:
Alex Gaynor 2018-04-07 16:09:42 -04:00 committed by GitHub
parent 1d80a56173
commit c87eb09d2e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 25 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Doc/library/http.cookies.rst
View file

@ -137,11 +137,16 @@ Morsel Objects
* ``secure`` * ``secure``
* ``version`` * ``version``
* ``httponly`` * ``httponly``
* ``samesite``
The attribute :attr:`httponly` specifies that the cookie is only transferred The attribute :attr:`httponly` specifies that the cookie is only transferred
in HTTP requests, and is not accessible through JavaScript. This is intended in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting. to mitigate some forms of cross-site scripting.
The attribute :attr:`samesite` specifies that the browser is not allowed to
send the cookie along with cross-site requests. This helps to mitigate CSRF
attacks. Valid values for this attribute are "Strict" and "Lax".
The keys are case-insensitive and their default value is ``''``. The keys are case-insensitive and their default value is ``''``.
.. versionchanged:: 3.5 .. versionchanged:: 3.5
@ -153,6 +158,9 @@ Morsel Objects
:attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for :attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for
setting them. setting them.
.. versionchanged:: 3.8
Added support for the :attr:`samesite` attribute.
.. attribute:: Morsel.value .. attribute:: Morsel.value

1
Lib/http/cookies.py
View file

@ -281,6 +281,7 @@ class Morsel(dict):
"secure" : "Secure", "secure" : "Secure",
"httponly" : "HttpOnly", "httponly" : "HttpOnly",
"version" : "Version", "version" : "Version",
"samesite" : "SameSite",
} }
_flags = {'secure', 'httponly'} _flags = {'secure', 'httponly'}

13
Lib/test/test_http_cookies.py
View file

@ -121,6 +121,19 @@ class CookieTests(unittest.TestCase):
self.assertEqual(C.output(), self.assertEqual(C.output(),
'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure') 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')
def test_samesite_attrs(self):
samesite_values = ['Strict', 'Lax', 'strict', 'lax']
for val in samesite_values:
with self.subTest(val=val):
C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
C['Customer']['samesite'] = val
self.assertEqual(C.output(),
'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)
C = cookies.SimpleCookie()
C.load('Customer="WILL_E_COYOTE"; SameSite=%s' % val)
self.assertEqual(C['Customer']['samesite'], val)
def test_secure_httponly_false_if_not_present(self): def test_secure_httponly_false_if_not_present(self):
C = cookies.SimpleCookie() C = cookies.SimpleCookie()
C.load('eggs=scrambled; Path=/bacon') C.load('eggs=scrambled; Path=/bacon')

1
Misc/ACKS
View file

@ -1461,6 +1461,7 @@ Varun Sharma
Daniel Shaulov Daniel Shaulov
Vlad Shcherbina Vlad Shcherbina
Justin Sheehy Justin Sheehy
Akash Shende
Charlie Shepherd Charlie Shepherd
Bruce Sherwood Bruce Sherwood
Alexander Shigin Alexander Shigin

2
Misc/NEWS.d/next/Library/2018-04-07-13-49-39.bpo-29613.r6FDnB.rst Normal file
View file

@ -0,0 +1,2 @@
Added support for the ``SameSite`` cookie flag to the ``http.cookies``
module.