gh-112713 : Add support for 'partitioned' attribute in http.cookies

Doc/library/http.cookies.rst

@@ -142,6 +142,7 @@ Morsel Objects
                     version
                     httponly
                     samesite
+                    partitioned
 
    The attribute :attr:`httponly` specifies that the cookie is only transferred
    in HTTP requests, and is not accessible through JavaScript. This is intended
@@ -151,6 +152,18 @@ Morsel Objects
    send the cookie along with cross-site requests. This helps to mitigate CSRF
    attacks. Valid values for this attribute are "Strict" and "Lax".
 
+   The attribute :attr:`partitioned` indicates to user agents that these
+   cross-site cookies *should* only be available in the same top-level context
+   that the cookie was first set in. For this to be accepted by the user agent,
+   you **must** also set both ``Secure`` and ``Path=/``.
+   In addition, it is recommended to use the ``__Host`` prefix when setting
+   partitioned cookies to make them bound to the hostname and not the
+   registrable domain. Read
+   `CHIPS (Cookies Having Independent Partitioned State)`_
+   for full details and examples.
+
+   .. _CHIPS (Cookies Having Independent Partitioned State): https://github.com/privacycg/CHIPS/blob/main/README.md
+
    The keys are case-insensitive and their default value is ``''``.
 
    .. versionchanged:: 3.5
@@ -165,6 +178,9 @@ Morsel Objects
    .. versionchanged:: 3.8
       Added support for the :attr:`samesite` attribute.
 
+   .. versionchanged:: 3.13
+      Added support for the :attr:`partitioned` attribute.
+
 
 .. attribute:: Morsel.value
 

Lib/http/cookies.py

@@ -273,18 +273,19 @@ class Morsel(dict):
     # variant on the left to the appropriate traditional
     # formatting on the right.
     _reserved = {
-        "expires"  : "expires",
-        "path"     : "Path",
-        "comment"  : "Comment",
-        "domain"   : "Domain",
-        "max-age"  : "Max-Age",
-        "secure"   : "Secure",
-        "httponly" : "HttpOnly",
-        "version"  : "Version",
-        "samesite" : "SameSite",
+        "expires": "expires",
+        "path": "Path",
+        "comment": "Comment",
+        "domain": "Domain",
+        "max-age": "Max-Age",
+        "secure": "Secure",
+        "httponly": "HttpOnly",
+        "version": "Version",
+        "samesite": "SameSite",
+        "partitioned": "Partitioned",
     }
 
-    _flags = {'secure', 'httponly'}
+    _flags = {'secure', 'httponly', 'partitioned'}
 
     def __init__(self):
         # Set defaults

Lib/test/test_http_cookies.py

@@ -121,6 +121,14 @@ def test_set_secure_httponly_attrs(self):
         self.assertEqual(C.output(),
             'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure')
 
+    def test_set_secure_httponly_partitioned_attrs(self):
+        C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"')
+        C['Customer']['secure'] = True
+        C['Customer']['httponly'] = True
+        C['Customer']['partitioned'] = True
+        self.assertEqual(C.output(),
+            'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Partitioned; Secure')
+
     def test_samesite_attrs(self):
         samesite_values = ['Strict', 'Lax', 'strict', 'lax']
         for val in samesite_values:

Misc/NEWS.d/next/Core and Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst

@@ -0,0 +1 @@
+Added support for the ``Partitioned`` cookie flag in :mod:`http.cookies`.