#34613: add support for Partitioned cookies
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by BertrandHustle):
Replying to [comment:10 Terence Honles]:
> Replying to [comment:9 Michael Wheeler]:
> > I wonder if it would be possible to follow a similar approach to the
one that was used to add support for `SameSite`
https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a.
> >
> > Not sure if anyone was already planning on tackling this, but if not
I'd be curious about taking it on as a first time contributor.
>
> Thanks for the pointer here. I was actually going to write a WSGI
middleware, but following what was done for `SameSite` I used the
following:
>
> middleware.py:
> {{{
> ...
> from http import cookies
>
> ...
> cookies.Morsel._flags.add("partitioned")
> cookies.Morsel._reserved.setdefault("partitioned", "Partitioned")
>
> class CookiePartitioningMiddleware(MiddlewareMixin):
> def process_response(
> self, request: HttpRequest, response: HttpResponseBase
> ) -> HttpResponseBase:
> for name in (
> getattr(settings, f"{prefix}_COOKIE_NAME")
> for prefix in ("CSRF", "SESSION", "LANGUAGE")
> if getattr(settings, f"{prefix}_COOKIE_SECURE")
> ):
> if cookie := response.cookies.get(name):
> cookie["Partitioned"] = True
>
> return response
> }}}
>
> and added the middleware to my application.
>
> Adding and respecing a `${NAME}_COOKIE_PARTITIONED` would make sense for
a PR, but for our use case we want to partition all cookies. It ''may''
also make sense to make sure `${NAME}_COOKIE_SAMESITE` is `'None'` since
that is [https://developers.google.com/privacy-
sandbox/3pcd/chips#:~:text=Note%3A%20Adding%20SameSite%3DNone%20will%20allow%20your%20cookie%20to%20be%20sent%20in%20third%2Dparty%20contexts%20where%20the%20Partitioned%20attribute%20is%20not%20supported%2C%20as%20long%20as%20third%2Dparty%20cookies%20are%20allowed%20in%20browser%20settings.
recommended for browsers which don't support partitioning via CHIPS]
FYI, this doesn't seem to work for `sessionid` cookies, the Partitioned
attr only gets set on the csrftoken.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018df7c5475a-62578599-db10-47b7-81ea-6454344a4498-000000%40eu-central-1.amazonses.com.
