Skip to content

bpo-29613: Added support for SameSite cookies#6413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alex merged 11 commits into from
Apr 7, 2018
Merged

bpo-29613: Added support for SameSite cookies #6413

alex merged 11 commits into from
Apr 7, 2018

Conversation

@alex
Copy link
Member

@alexalex commented Apr 7, 2018
edited by bedevere-bot
Loading

@alexalex requested a review from dstufftApril 7, 2018 17:58
@alexalex mentioned this pull request Apr 7, 2018
Closed
timgraham
timgraham reviewed Apr 7, 2018
View reviewed changes
Doc/library/http.cookies.rst Outdated
setting them.

.. versionchanged:: 3.8
Added support for :attr:`samesite` attribute.
Copy link
Contributor

@timgrahamtimgrahamApr 7, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the

Doc/library/http.cookies.rst Outdated
in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
Copy link
Contributor

@timgrahamtimgrahamApr 7, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"the browser"

Doc/library/http.cookies.rst Outdated
to mitigate some forms of cross-site scripting.

The attribute :attr:`samesite` specifies that browser is not allowed to send the
cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
Copy link
Contributor

@timgrahamtimgrahamApr 7, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

help -> helps

Lib/test/test_http_cookies.py Outdated
'Set-Cookie: Customer="WILE_E_COYOTE" HttpOnly; Secure')

deftest_samesite_attrs(self):
samesite_values= ['Strict', 'Lax']
Copy link
Contributor

@timgrahamtimgrahamApr 7, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might add tests for 'strict' and 'lax' as the values are case-insensitive from what I read.

@alex
Copy link
MemberAuthor

alex commented Apr 7, 2018

Thanks! Feedback addressed

@alexalex merged commit c87eb09 into python:masterApr 7, 2018
@alexalex deleted the samesite-cookies branch April 7, 2018 20:09
@alex
Copy link
MemberAuthor

alex commented Apr 7, 2018

@akash0x53 I would encourage you to apply for a Google Patch Reward for your work on this: https://www.google.com/about/appsecurity/patch-rewards/

@ChangacoChangaco mentioned this pull request Jun 5, 2018
Merged
@minrkminrk mentioned this pull request Jan 18, 2019
Open
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dstufftdstufftdstufft approved these changes

+1 more reviewer

@timgrahamtimgrahamtimgraham left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@alex@dstufft@timgraham@the-knights-who-say-ni@bedevere-bot@akash0x53