Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.7] allow samesite in cookies (#4224) #4303

Merged
merged 1 commit into from
Oct 29, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGES/4224.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
allow use of SameSite in cookies.
15 changes: 12 additions & 3 deletions aiohttp/web_response.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
import zlib
from concurrent.futures import Executor
from email.utils import parsedate
from http.cookies import SimpleCookie
from http.cookies import Morsel, SimpleCookie
from typing import ( # noqa
TYPE_CHECKING,
Any,
Expand All @@ -27,7 +27,7 @@

from . import hdrs, payload
from .abc import AbstractStreamWriter
from .helpers import HeadersMixin, rfc822_formatted_time, sentinel
from .helpers import PY_38, HeadersMixin, rfc822_formatted_time, sentinel
from .http import RESPONSES, SERVER_SOFTWARE, HttpVersion10, HttpVersion11
from .payload import Payload
from .typedefs import JSONEncoder, LooseHeaders
Expand All @@ -42,6 +42,12 @@
BaseClass = collections.abc.MutableMapping


if not PY_38:
# allow samesite to be used in python < 3.8
# already permitted in python 3.8, see https://bugs.python.org/issue29613
Morsel._reserved['samesite'] = 'SameSite' # type: ignore


class ContentCoding(enum.Enum):
# The content codings that we have support for.
#
Expand Down Expand Up @@ -183,7 +189,8 @@ def set_cookie(self, name: str, value: str, *,
path: str='/',
secure: Optional[bool]=None,
httponly: Optional[bool]=None,
version: Optional[str]=None) -> None:
version: Optional[str]=None,
samesite: Optional[str]=None) -> None:
"""Set or update response cookie.

Sets new cookie or updates existent with new value.
Expand Down Expand Up @@ -219,6 +226,8 @@ def set_cookie(self, name: str, value: str, *,
c['httponly'] = httponly
if version is not None:
c['version'] = version
if samesite is not None:
c['samesite'] = samesite

def del_cookie(self, name: str, *,
domain: Optional[str]=None,
Expand Down
11 changes: 10 additions & 1 deletion docs/web_reference.rst
Original file line number Diff line number Diff line change
Expand Up @@ -689,7 +689,8 @@ StreamResponse

.. method:: set_cookie(name, value, *, path='/', expires=None, \
domain=None, max_age=None, \
secure=None, httponly=None, version=None)
secure=None, httponly=None, version=None, \
samesite=None)

Convenient way for setting :attr:`cookies`, allows to specify
some additional properties like *max_age* in a single call.
Expand Down Expand Up @@ -734,6 +735,14 @@ StreamResponse
specification the cookie
conforms. (Optional, *version=1* by default)

:param str samesite: Asserts that a cookie must not be sent with
cross-origin requests, providing some protection
against cross-site request forgery attacks.
Generally the value should be one of: ``None``,
``Lax`` or ``Strict``. (optional)

.. versionadded:: 3.7

.. warning::

In HTTP version 1.1, ``expires`` was deprecated and replaced with
Expand Down
3 changes: 2 additions & 1 deletion tests/test_web_response.py
Original file line number Diff line number Diff line change
Expand Up @@ -703,13 +703,14 @@ def test_response_cookie_path() -> None:
'Set-Cookie: name=value; expires=123; Path=/')
resp.set_cookie('name', 'value', domain='example.com',
path='/home', expires='123', max_age='10',
secure=True, httponly=True, version='2.0')
secure=True, httponly=True, version='2.0', samesite='lax')
assert (str(resp.cookies).lower() == 'set-cookie: name=value; '
'domain=example.com; '
'expires=123; '
'httponly; '
'max-age=10; '
'path=/home; '
'samesite=lax; '
'secure; '
'version=2.0')

Expand Down