#34613: add support for Partitioned cookies
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: closed
Component: CSRF | Version: 4.1
Severity: Normal | Resolution: needsinfo
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Raphael Michel):
Hi Mariusz,
Replying to [comment:6 Mariusz Felisiak]:
> Raphael, I appreciate you'd like to reopen the ticket, but I'm not
exactly sure what can of changes are needed it Django, is it something
that can be handled by a custom middleware? Do we need to change
`SimpleCookie` implementation?
That is the very nasty part about this: Cookie headers are as a special
case by Django directly on the WSGI/ASGI layer, different from any other
header, so as far as I can tell, a custom middleware can *not* implement
this. Supporting it in Django requires at least an additional keyword
argument to `set_cookie()` plus – and that is the nasty part – a change to
`SimpleCookie`, which is in the stdlib these days.
There is already an issue for the stdlib:
https://github.com/python/cpython/issues/112713
It also has a PR:
https://github.com/python/cpython/pull/112714
But even if that get's merged soon, I don't think it will be backported to
existing Python versions, so supporting this in the near future (i.e. next
Django version) it would mean vendoring parts of `SimpleCookie` again.
I'll try to figure out what parts exactly in the next days or weeks, since
even if this does not make it in Django soon, we'll need to monkeypatch it
in our project somehow.
> Should we mark Django cookies as "partitioned"?
I think it should be opt-in, i.e. a settings flag for session cookie and
CSRF cookie (similar to Secure and Httponly), and a keyword argument for
`set_cookie()`.
> Is it only an issue for session cookies? etc.
No, this will affect at least session cookie and CSRF cookie, plus
possibly custom cookies.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018d0ccf702b-0981047b-a16f-45e5-993c-f172ed22a7a1-000000%40eu-central-1.amazonses.com.
