This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8500 in repository https://gitbox.apache.org/repos/asf/allura.git
commit c7ce55b97b1e9d1007fad77586fa81a516368e2e Author: Dave Brondsema <[email protected]> AuthorDate: Thu Feb 16 15:45:53 2023 -0500 [#8500] make _session_id cookie use samesite=strict --- Allura/allura/lib/custom_middleware.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index e8fedd225..0244c5721 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -216,9 +216,10 @@ class CSRFMiddleware: def session_start_response(status, headers, exc_info=None): if dict(headers).get('Content-Type', '').startswith('text/html'): use_secure = 'secure; ' if environ['beaker.session'].secure else '' + samesite = 'SameSite=Strict; ' if environ['beaker.session'].secure else '' headers.append( ('Set-cookie', - str(f'{self._cookie_name}={cookie}; {use_secure}Path=/'))) + str(f'{self._cookie_name}={cookie}; {use_secure}{samesite}Path=/'))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response)
