#34613: add support for Partitioned cookies
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Terence Honles):
Replying to [comment:9 Michael Wheeler]:
> I wonder if it would be possible to follow a similar approach to the one
that was used to add support for `SameSite`
https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a.
>
> Not sure if anyone was already planning on tackling this, but if not I'd
be curious about taking it on as a first time contributor.
Thanks for the pointer here. I was actually going to write a WSGI
middleware, but following what was done for `SameSite` I used the
following:
middleware.py:
{{{
...
from http import cookies
...
cookies.Morsel._flags.add("partitioned")
cookies.Morsel._reserved.setdefault("partitioned", "Partitioned")
class CookiePartitioningMiddleware(MiddlewareMixin):
def process_response(
self, request: HttpRequest, response: HttpResponseBase
) -> HttpResponseBase:
for name in (
getattr(settings, f"{prefix}_COOKIE_NAME")
for prefix in ("CSRF", "SESSION", "LANGUAGE")
if getattr(settings, f"{prefix}_COOKIE_SECURE")
):
if cookie := response.cookies.get(name):
cookie["Partitioned"] = True
return response
}}}
and added the middleware to my application.
Adding and respecing a `${NAME}_COOKIE_PARTITIONED` would make sense for a
PR, but for our use case we want to partition all cookies. It ''may'' also
make sense to make sure `${NAME}_COOKIE_SAMESITE` is `'None'` since that
is [https://developers.google.com/privacy-
sandbox/3pcd/chips#:~:text=Note%3A%20Adding%20SameSite%3DNone%20will%20allow%20your%20cookie%20to%20be%20sent%20in%20third%2Dparty%20contexts%20where%20the%20Partitioned%20attribute%20is%20not%20supported%2C%20as%20long%20as%20third%2Dparty%20cookies%20are%20allowed%20in%20browser%20settings.
recommended for browsers which don't support partitioning via CHIPS]
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018d21407f07-c870d7d8-d122-4e12-b748-342cb2416b30-000000%40eu-central-1.amazonses.com.
