[Python-checkins] bpo-29613: Added support for SameSite cookies (GH-6413)

Sat Apr 7 16:09:50 EDT 2018

https://github.com/python/cpython/commit/c87eb09d2e3783b0b5dc0d7cb304050cbcc86ad3
commit: c87eb09d2e3783b0b5dc0d7cb304050cbcc86ad3
branch: master
author: Alex Gaynor <alex.gaynor at gmail.com>
committer: GitHub <noreply at github.com>
date: 2018年04月07日T16:09:42-04:00
summary:
bpo-29613: Added support for SameSite cookies (GH-6413)
* bpo-29613: Added support for SameSite cookies
Implemented as per draft
https://tools.ietf.org/html/draft-west-first-party-cookies-07
* Documented SameSite
And suggestions by members.
* Missing space :(
* Updated News and contributors
* Added version changed details.
* Fix in documentation
* fix in documentation
* Clubbed test cases for same attribute into single.
* Updates
* Style nits + expand tests
* review feedback
files:
A Misc/NEWS.d/next/Library/2018-04-07-13-49-39.bpo-29613.r6FDnB.rst
M Doc/library/http.cookies.rst
M Lib/http/cookies.py
M Lib/test/test_http_cookies.py
M Misc/ACKS

diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst
index fb8317ad59e6..f3457a0cdc7b 100644
--- a/Doc/library/http.cookies.rst
+++ b/Doc/library/http.cookies.rst
@@ -137,11 +137,16 @@ Morsel Objects
 * ``secure``
 * ``version``
 * ``httponly``
+ * ``samesite``
 
 The attribute :attr:`httponly` specifies that the cookie is only transferred
 in HTTP requests, and is not accessible through JavaScript. This is intended
 to mitigate some forms of cross-site scripting.
 
+ The attribute :attr:`samesite` specifies that the browser is not allowed to
+ send the cookie along with cross-site requests. This helps to mitigate CSRF
+ attacks. Valid values for this attribute are "Strict" and "Lax".
+
 The keys are case-insensitive and their default value is ``''``.
 
 .. versionchanged:: 3.5
@@ -153,6 +158,9 @@ Morsel Objects
 :attr:`~Morsel.coded_value` are read-only. Use :meth:`~Morsel.set` for
 setting them.
 
+ .. versionchanged:: 3.8
+ Added support for the :attr:`samesite` attribute.
+
 
 .. attribute:: Morsel.value
 
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 7e0259ee32e4..4a44db8475ea 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -281,6 +281,7 @@ class Morsel(dict):
 "secure" : "Secure",
 "httponly" : "HttpOnly",
 "version" : "Version",
+ "samesite" : "SameSite",
 }
 
 _flags = {'secure', 'httponly'}
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 2ff690243fc3..447f883390fd 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -121,6 +121,19 @@ def test_set_secure_httponly_attrs(self):
 self.assertEqual(C.output(),
 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')
 
+ def test_samesite_attrs(self):
+ samesite_values = ['Strict', 'Lax', 'strict', 'lax']
+ for val in samesite_values:
+ with self.subTest(val=val):
+ C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
+ C['Customer']['samesite'] = val
+ self.assertEqual(C.output(),
+ 'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)
+
+ C = cookies.SimpleCookie()
+ C.load('Customer="WILL_E_COYOTE"; SameSite=%s' % val)
+ self.assertEqual(C['Customer']['samesite'], val)
+
 def test_secure_httponly_false_if_not_present(self):
 C = cookies.SimpleCookie()
 C.load('eggs=scrambled; Path=/bacon')
diff --git a/Misc/ACKS b/Misc/ACKS
index b951446bab7b..8b2931f0bd35 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1461,6 +1461,7 @@ Varun Sharma
 Daniel Shaulov
 Vlad Shcherbina
 Justin Sheehy
+Akash Shende
 Charlie Shepherd
 Bruce Sherwood
 Alexander Shigin
diff --git a/Misc/NEWS.d/next/Library/2018-04-07-13-49-39.bpo-29613.r6FDnB.rst b/Misc/NEWS.d/next/Library/2018-04-07-13-49-39.bpo-29613.r6FDnB.rst
new file mode 100644
index 000000000000..a679cd91194f
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-04-07-13-49-39.bpo-29613.r6FDnB.rst
@@ -0,0 +1,2 @@
+Added support for the ``SameSite`` cookie flag to the ``http.cookies``
+module.
