#34613: add support for Partitioned cookies
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Terence Honles):
Replying to [comment:9 Michael Wheeler]:
> I wonder if it would be possible to follow a similar approach to the one
that was used to add support for `SameSite`
https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a.
>
> Not sure if anyone was already planning on tackling this, but if not I'd
be curious about taking it on as a first time contributor.
Thanks for the pointer here. I was actually going to write a WSGI
middleware, but following what was done for `SameSite` I used the
following:
middleware.py:
{{{
...
from http import cookies
...
cookies.Morsel._flags.add("partitioned")
cookies.Morsel._reserved.setdefault("partitioned", "Partitioned")
class CookiePartitioningMiddleware(MiddlewareMixin):
def process_response(
self, request: HttpRequest, response: HttpResponseBase
) -> HttpResponseBase:
for name in (
getattr(settings, f"{prefix}_COOKIE_NAME")
for prefix in ("CSRF", "SESSION", "LANGUAGE")
if getattr(settings, f"{prefix}_COOKIE_SECURE")
):
if cookie := response.cookies.get(name):
cookie["Partitioned"] = True
return response
}}}
and added the middleware to my application.
Adding and respecing a `${NAME}_COOKIE_PARTITIONED` would make sense for a
PR, but for our use case we want to partition all cookies. It ''may'' also
make sense to make sure `${NAME}_COOKIE_SAMESITE` is `'None'` since that
is [https://developers.google.com/privacy-
sandbox/3pcd/chips#:~:text=Note%3A%20Adding%20SameSite%3DNone%20will%20allow%20your%20cookie%20to%20be%20sent%20in%20third%2Dparty%20contexts%20where%20the%20Partitioned%20attribute%20is%20not%20supported%2C%20as%20long%20as%20third%2Dparty%20cookies%20are%20allowed%20in%20browser%20settings.
recommended for browsers which don't support partitioning via CHIPS]
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018d21407f07-c870d7d8-d122-4e12-b748-342cb2416b30-000000%40eu-central-1.amazonses.com.
