#34613: add support for Partitioned cookies
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by BertrandHustle):
Replying to [comment:10 Terence Honles]:
> Replying to [comment:9 Michael Wheeler]:
> > I wonder if it would be possible to follow a similar approach to the
one that was used to add support for `SameSite`
https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a.
> >
> > Not sure if anyone was already planning on tackling this, but if not
I'd be curious about taking it on as a first time contributor.
>
> Thanks for the pointer here. I was actually going to write a WSGI
middleware, but following what was done for `SameSite` I used the
following:
>
> middleware.py:
> {{{
> ...
> from http import cookies
>
> ...
> cookies.Morsel._flags.add("partitioned")
> cookies.Morsel._reserved.setdefault("partitioned", "Partitioned")
>
> class CookiePartitioningMiddleware(MiddlewareMixin):
> def process_response(
> self, request: HttpRequest, response: HttpResponseBase
> ) -> HttpResponseBase:
> for name in (
> getattr(settings, f"{prefix}_COOKIE_NAME")
> for prefix in ("CSRF", "SESSION", "LANGUAGE")
> if getattr(settings, f"{prefix}_COOKIE_SECURE")
> ):
> if cookie := response.cookies.get(name):
> cookie["Partitioned"] = True
>
> return response
> }}}
>
> and added the middleware to my application.
>
> Adding and respecing a `${NAME}_COOKIE_PARTITIONED` would make sense for
a PR, but for our use case we want to partition all cookies. It ''may''
also make sense to make sure `${NAME}_COOKIE_SAMESITE` is `'None'` since
that is [https://developers.google.com/privacy-
sandbox/3pcd/chips#:~:text=Note%3A%20Adding%20SameSite%3DNone%20will%20allow%20your%20cookie%20to%20be%20sent%20in%20third%2Dparty%20contexts%20where%20the%20Partitioned%20attribute%20is%20not%20supported%2C%20as%20long%20as%20third%2Dparty%20cookies%20are%20allowed%20in%20browser%20settings.
recommended for browsers which don't support partitioning via CHIPS]
FYI, this doesn't seem to work for `sessionid` cookies, the Partitioned
attr only gets set on the csrftoken.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018df7c5475a-62578599-db10-47b7-81ea-6454344a4498-000000%40eu-central-1.amazonses.com.
