mirror of https://github.com/python/cpython
bpo-29613: Added support for SameSite cookies (GH-6413)
* bpo-29613: Added support for SameSite cookies Implemented as per draft https://tools.ietf.org/html/draft-west-first-party-cookies-07 * Documented SameSite And suggestions by members. * Missing space :( * Updated News and contributors * Added version changed details. * Fix in documentation * fix in documentation * Clubbed test cases for same attribute into single. * Updates * Style nits + expand tests * review feedback
This commit is contained in:
parent
1d80a56173
commit
c87eb09d2e
|
@ -137,11 +137,16 @@ Morsel Objects
|
|||
* ``secure``
|
||||
* ``version``
|
||||
* ``httponly``
|
||||
* ``samesite``
|
||||
|
||||
The attribute :attr:`httponly` specifies that the cookie is only transferred
|
||||
in HTTP requests, and is not accessible through JavaScript. This is intended
|
||||
to mitigate some forms of cross-site scripting.
|
||||
|
||||
The attribute :attr:`samesite` specifies that the browser is not allowed to
|
||||
send the cookie along with cross-site requests. This helps to mitigate CSRF
|
||||
attacks. Valid values for this attribute are "Strict" and "Lax".
|
||||
|
||||
The keys are case-insensitive and their default value is ``''``.
|
||||
|
||||
.. versionchanged:: 3.5
|
||||
|
@ -153,6 +158,9 @@ Morsel Objects
|
|||
:attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for
|
||||
setting them.
|
||||
|
||||
.. versionchanged:: 3.8
|
||||
Added support for the :attr:`samesite` attribute.
|
||||
|
||||
|
||||
.. attribute:: Morsel.value
|
||||
|
||||
|
|
|
@ -281,6 +281,7 @@ class Morsel(dict):
|
|||
"secure" : "Secure",
|
||||
"httponly" : "HttpOnly",
|
||||
"version" : "Version",
|
||||
"samesite" : "SameSite",
|
||||
}
|
||||
|
||||
_flags = {'secure', 'httponly'}
|
||||
|
|
|
@ -121,6 +121,19 @@ class CookieTests(unittest.TestCase):
|
|||
self.assertEqual(C.output(),
|
||||
'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')
|
||||
|
||||
def test_samesite_attrs(self):
|
||||
samesite_values = ['Strict', 'Lax', 'strict', 'lax']
|
||||
for val in samesite_values:
|
||||
with self.subTest(val=val):
|
||||
C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
|
||||
C['Customer']['samesite'] = val
|
||||
self.assertEqual(C.output(),
|
||||
'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)
|
||||
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('Customer="WILL_E_COYOTE"; SameSite=%s' % val)
|
||||
self.assertEqual(C['Customer']['samesite'], val)
|
||||
|
||||
def test_secure_httponly_false_if_not_present(self):
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('eggs=scrambled; Path=/bacon')
|
||||
|
|
|
@ -1461,6 +1461,7 @@ Varun Sharma
|
|||
Daniel Shaulov
|
||||
Vlad Shcherbina
|
||||
Justin Sheehy
|
||||
Akash Shende
|
||||
Charlie Shepherd
|
||||
Bruce Sherwood
|
||||
Alexander Shigin
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
Added support for the ``SameSite`` cookie flag to the ``http.cookies``
|
||||
module.
|
Loading…
Reference in New Issue