Skip to content

bpo-29613: Added support for SameSite cookies #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
akash0x53 wants to merge 8 commits into from
+22 −0
Closed

bpo-29613: Added support for SameSite cookies #214

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ef83909
bpo-29613: Added support for SameSite cookies
akash0x53 Feb 21, 2017
c8bc135
Documented SameSite
akash0x53 Feb 21, 2017
c064da4
Missing space :(
akash0x53 Feb 21, 2017
364ea46
Updated News and contributors
akash0x53 Feb 21, 2017
c3890a2
Added version changed details.
akash0x53 Feb 22, 2017
6ed3f3f
Fix in documentation
akash0x53 Feb 22, 2017
aa54e50
fix in documentation
akash0x53 Feb 22, 2017
a6cbc20
Clubbed test cases for same attribute into single.
akash0x53 Feb 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix in documentation
  • Loading branch information
@akash0x53
akash0x53 committed Feb 28, 2017
commit 6ed3f3f5ae04f0b9af42863206a276dd845acac1
8 changes: 4 additions & 4 deletions Doc/library/http.cookies.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,13 +143,13 @@ Morsel Objects
in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
Copy link
Contributor

@timgraham timgraham Feb 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This helps

values for this attribute are "Strict" and "Lax".
Copy link
Contributor

@timgraham timgraham Feb 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the meaning of these values?
Are invalid values rejected? I don't see any code/tests for that.

Copy link
Author

@akash0x53 akash0x53 Feb 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Explaining the values would be out of scope of the Python documentation. I think invalid values should be accepted, after all its browser's job to discard invalid values. Suppose, in future they proposed or added another value for SameSite then we need to make space for that too. By the way i'm not sure about this, let the member decide.

Copy link
Member

@berkerpeksag berkerpeksag Feb 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tim is correct that we need to add a test for invalid values. However, we need to decide on what we should do with invalid values first. I don't have time to do a research at the moment, but just a note that Firefox doesn't implement SameSite support yet: https://bugzilla.mozilla.org/show_bug.cgi?id=795346

Copy link
Author

@akash0x53 akash0x53 Feb 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. However, chrome implemented SamSite. Right now only Chrome implemented this. https://bugs.chromium.org/p/chromium/issues/detail?id=459154
I checked the test cases they wrote for the same, i didn't find test cases for invalid values.
https://chromium.googlesource.com/chromium/src/+/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/canonical_cookie_unittest.cc#86

I messed with this branch :( Should I open new PR?

Copy link
Contributor

@timgraham timgraham Feb 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should be able to fix the branch by rebasing and force pushing.


Copy link
Member

@Mariatta Mariatta Feb 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add below this line:

   .. versionchanged:: 3.7
      Added support for :attr:`samesite` attribute.

Thanks @alex for the clarification about this :)

.. versionchanged:: 3.7
Added support for :attr:`samesite` attribute.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
values for this attribute are "Strict" and "Lax".

The keys are case-insensitive and their default value is ``''``.

.. versionchanged:: 3.5
Expand Down