#34613: add support for Partitioned cookies -------------------------------------+------------------------------------- Reporter: Oleg Korsak | Owner: nobody Type: New feature | Status: new Component: HTTP handling | Version: 4.1 Severity: Normal | Resolution: Keywords: chips, cookies, | Triage Stage: Accepted csrf, partitioned | Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Terence Honles): Replying to [comment:9 Michael Wheeler]: > I wonder if it would be possible to follow a similar approach to the one that was used to add support for `SameSite` https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a. > > Not sure if anyone was already planning on tackling this, but if not I'd be curious about taking it on as a first time contributor. Thanks for the pointer here. I was actually going to write a WSGI middleware, but following what was done for `SameSite` I used the following: middleware.py: {{{ ... from http import cookies ... cookies.Morsel._flags.add("partitioned") cookies.Morsel._reserved.setdefault("partitioned", "Partitioned") class CookiePartitioningMiddleware(MiddlewareMixin): def process_response( self, request: HttpRequest, response: HttpResponseBase ) -> HttpResponseBase: for name in ( getattr(settings, f"{prefix}_COOKIE_NAME") for prefix in ("CSRF", "SESSION", "LANGUAGE") if getattr(settings, f"{prefix}_COOKIE_SECURE") ): if cookie := response.cookies.get(name): cookie["Partitioned"] = True return response }}} and added the middleware to my application. Adding and respecing a `${NAME}_COOKIE_PARTITIONED` would make sense for a PR, but for our use case we want to partition all cookies. It ''may'' also make sense to make sure `${NAME}_COOKIE_SAMESITE` is `'None'` since that is [https://developers.google.com/privacy- sandbox/3pcd/chips#:~:text=Note%3A%20Adding%20SameSite%3DNone%20will%20allow%20your%20cookie%20to%20be%20sent%20in%20third%2Dparty%20contexts%20where%20the%20Partitioned%20attribute%20is%20not%20supported%2C%20as%20long%20as%20third%2Dparty%20cookies%20are%20allowed%20in%20browser%20settings. recommended for browsers which don't support partitioning via CHIPS] -- Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:10> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018d21407f07-c870d7d8-d122-4e12-b748-342cb2416b30-000000%40eu-central-1.amazonses.com.