Fixed #27863 -- Added support for the SameSite cookie flag.

Thanks Alex Gaynor for contributing to the patch.
author: Alex Gaynor <alex.gaynor@gmail.com> 2018-04-13 20:58:31 -0400
committer: Tim Graham <timograham@gmail.com> 2018-04-13 20:58:31 -0400
commit: 9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a (patch)
tree: ddb311604d1ec31ec09c8ae12e34dadc821f7536 /tests
parent: 13efbb233a9aa2e3f13be863c6616ec0767a0d58 (diff)
5 files changed, 36 insertions, 0 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 8a9c509f4c..e63fbb8bd6 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -586,6 +586,14 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
             max_age = resp2.cookies.get('csrfcookie').get('max-age')
             self.assertEqual(max_age, '')
 
+    def test_csrf_cookie_samesite(self):
+        req = self._get_GET_no_csrf_cookie_request()
+        with self.settings(CSRF_COOKIE_NAME='csrfcookie', CSRF_COOKIE_SAMESITE='Strict'):
+            self.mw.process_view(req, token_view, (), {})
+            resp = token_view(req)
+            resp2 = self.mw.process_response(req, resp)
+            self.assertEqual(resp2.cookies['csrfcookie']['samesite'], 'Strict')
+
     def test_process_view_token_too_long(self):
         """
         If the token is longer than expected, it is ignored and a new token is
diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py
index a387ca1f74..985380cc57 100644
--- a/tests/httpwrappers/tests.py
+++ b/tests/httpwrappers/tests.py
@@ -746,6 +746,11 @@ class CookieTests(unittest.TestCase):
         # document.cookie parses whitespace.
         self.assertEqual(parse_cookie('  =  b  ;  ;  =  ;   c  =  ;  '), {'': 'b', 'c': ''})
 
+    def test_samesite(self):
+        c = SimpleCookie('name=value; samesite=lax; httponly')
+        self.assertEqual(c['name']['samesite'], 'lax')
+        self.assertIn('SameSite=lax', c.output())
+
     def test_httponly_after_load(self):
         c = SimpleCookie()
         c.load("name=val")
diff --git a/tests/messages_tests/test_cookie.py b/tests/messages_tests/test_cookie.py
index a5eff30fd4..211d33f04c 100644
--- a/tests/messages_tests/test_cookie.py
+++ b/tests/messages_tests/test_cookie.py
@@ -57,6 +57,7 @@ class CookieTests(BaseTests, SimpleTestCase):
         # The message contains what's expected.
         self.assertEqual(list(storage), example_messages)
 
+    @override_settings(SESSION_COOKIE_SAMESITE='Strict')
     def test_cookie_setings(self):
         """
         CookieStorage honors SESSION_COOKIE_DOMAIN, SESSION_COOKIE_SECURE, and
@@ -72,6 +73,7 @@ class CookieTests(BaseTests, SimpleTestCase):
         self.assertEqual(response.cookies['messages']['expires'], '')
         self.assertIs(response.cookies['messages']['secure'], True)
         self.assertIs(response.cookies['messages']['httponly'], True)
+        self.assertEqual(response.cookies['messages']['samesite'], 'Strict')
 
         # Test deletion of the cookie (storing with an empty value) after the messages have been consumed
         storage = self.get_storage()
diff --git a/tests/responses/test_cookie.py b/tests/responses/test_cookie.py
index 148963fa59..a5092c3bbf 100644
--- a/tests/responses/test_cookie.py
+++ b/tests/responses/test_cookie.py
@@ -79,6 +79,17 @@ class SetCookieTests(SimpleTestCase):
         response.set_cookie('test', cookie_value)
         self.assertEqual(response.cookies['test'].value, cookie_value)
 
+    def test_samesite(self):
+        response = HttpResponse()
+        response.set_cookie('example', samesite='Lax')
+        self.assertEqual(response.cookies['example']['samesite'], 'Lax')
+        response.set_cookie('example', samesite='strict')
+        self.assertEqual(response.cookies['example']['samesite'], 'strict')
+
+    def test_invalid_samesite(self):
+        with self.assertRaisesMessage(ValueError, 'samesite must be "lax" or "strict".'):
+            HttpResponse().set_cookie('example', samesite='invalid')
+
 
 class DeleteCookieTests(SimpleTestCase):
 
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py
index 8f3f948f9e..09c21da089 100644
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -660,6 +660,16 @@ class SessionMiddlewareTests(TestCase):
             str(response.cookies[settings.SESSION_COOKIE_NAME])
         )
 
+    @override_settings(SESSION_COOKIE_SAMESITE='Strict')
+    def test_samesite_session_cookie(self):
+        request = RequestFactory().get('/')
+        response = HttpResponse()
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session['hello'] = 'world'
+        response = middleware.process_response(request, response)
+        self.assertEqual(response.cookies[settings.SESSION_COOKIE_NAME]['samesite'], 'Strict')
+
     @override_settings(SESSION_COOKIE_HTTPONLY=False)
     def test_no_httponly_session_cookie(self):
         request = RequestFactory().get('/')
author	Alex Gaynor <alex.gaynor@gmail.com>	2018-04-13 20:58:31 -0400
committer	Tim Graham <timograham@gmail.com>	2018-04-13 20:58:31 -0400
commit	9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a (patch)
tree	ddb311604d1ec31ec09c8ae12e34dadc821f7536 /tests
parent	13efbb233a9aa2e3f13be863c6616ec0767a0d58 (diff)