diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2018-04-13 20:58:31 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2018-04-13 20:58:31 -0400 |
| commit | 9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a (patch) | |
| tree | ddb311604d1ec31ec09c8ae12e34dadc821f7536 /django/http | |
| parent | 13efbb233a9aa2e3f13be863c6616ec0767a0d58 (diff) | |
Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
Diffstat (limited to 'django/http')
| -rw-r--r-- | django/http/cookie.py | 3 | ||||
| -rw-r--r-- | django/http/response.py | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/django/http/cookie.py b/django/http/cookie.py index b94d2b0386..5c418d7e35 100644 --- a/django/http/cookie.py +++ b/django/http/cookie.py @@ -3,6 +3,9 @@ from http import cookies # For backwards compatibility in Django 2.1. SimpleCookie = cookies.SimpleCookie +# Add support for the SameSite attribute (obsolete when PY37 is unsupported). +cookies.Morsel._reserved.setdefault('samesite', 'SameSite') + def parse_cookie(cookie): """ diff --git a/django/http/response.py b/django/http/response.py index b21b73f247..96c0cae597 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -154,7 +154,7 @@ class HttpResponseBase: return self._headers.get(header.lower(), (None, alternate))[1] def set_cookie(self, key, value='', max_age=None, expires=None, path='/', - domain=None, secure=False, httponly=False): + domain=None, secure=False, httponly=False, samesite=None): """ Set a cookie. @@ -194,6 +194,10 @@ class HttpResponseBase: self.cookies[key]['secure'] = True if httponly: self.cookies[key]['httponly'] = True + if samesite: + if samesite.lower() not in ('lax', 'strict'): + raise ValueError('samesite must be "lax" or "strict".') + self.cookies[key]['samesite'] = samesite def setdefault(self, key, value): """Set a header unless it has already been set.""" |