[Django] #34613: add support for Partitioned cookies
Django
-------------------------------------+-------------------------------------
Reporter: Oleg | Owner: nobody
Korsak |
Type: New | Status: new
feature |
Component: CSRF | Version: 4.1
Severity: Normal | Keywords: chips, cookies,
Triage Stage: | csrf, partitioned
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi.
I'm having issues with Django app in Chrome. It is working as a standalone
and embedded into IFRAME in another system. Users tend to open both ways
in tabs. At some point they manage to overwrite (like re-login) cookies
with session id and csrf token in one tab, but Chrome overwrites them for
another one as well, while opened IFRAME has an old CSRF token in HTML. So
next request fails. No issues in Firefox.
I've found following explanation:
https://developer.chrome.com/docs/privacy-sandbox/chips/
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
So Firefox separates such cookies by default. While Chrome needs server to
set a "Partitioned" flag for cookies. But... Django is unable to do so due
to using standard Python Morsel cookie class, which doesn't support it.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Type: New feature | Status: new
Component: CSRF | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Michael Wheeler (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: CSRF | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Markus Holtermann):
Hi! Partitioned cookies still seem to be quite experimental in
Chrome/Safari. So, we're unlikely to add support for them right away.
But, in order to better understand the issue, can you tell us more
information about the setup you have? For example, what's the domain of
the site that includes the iframe. What's the domain of the site within
the iframe. What cookie-related settings do you have configured?
Can you reproduce the issue in a small project?
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Component: CSRF | Version: 4.1
Severity: Normal | Resolution: needsinfo
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => needsinfo
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Component: CSRF | Version: 4.1
Severity: Normal | Resolution:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: closed => new
* resolution: needsinfo =>
Comment:
Yes, this is still experimental, but Chrome is rolling out their trial to
remove third-party cookies starting this month:
https://developers.google.com/privacy-sandbox/blog/cookie-countdown-
2023oct
Partitioned cookies will be basically the only way left to implement
interactive iframes with state. Our specific use case is this:
https://docs.pretix.eu/en/latest/user/events/widget.html
We'll need to be able to set our session cookies as partitioned quite soon
and I was surprised to find that there seems to be no way to it currently,
not even a hacky one.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:4>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: CSRF | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Markus Holtermann (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Component: CSRF | Version: 4.1
Severity: Normal | Resolution: needsinfo
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):
* status: new => closed
* resolution: => needsinfo
Comment:
Raphael, I appreciate you'd like to reopen the ticket, but I'm not exactly
sure what can of changes are needed it Django, is it something that can be
handled by a custom middleware? Do we need to change `SimpleCookie`
implementation? Should we mark Django cookies as "partitioned"? Is it only
an issue for session cookies? etc. I'd be grateful for your insights.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: closed
Component: CSRF | Version: 4.1
Severity: Normal | Resolution: needsinfo
Keywords: chips, cookies, | Triage Stage:
csrf, partitioned | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Raphael Michel):
Hi Mariusz,
Replying to [comment:6 Mariusz Felisiak]:
> Raphael, I appreciate you'd like to reopen the ticket, but I'm not
exactly sure what can of changes are needed it Django, is it something
that can be handled by a custom middleware? Do we need to change
`SimpleCookie` implementation?
That is the very nasty part about this: Cookie headers are as a special
case by Django directly on the WSGI/ASGI layer, different from any other
header, so as far as I can tell, a custom middleware can *not* implement
this. Supporting it in Django requires at least an additional keyword
argument to `set_cookie()` plus – and that is the nasty part – a change to
`SimpleCookie`, which is in the stdlib these days.
There is already an issue for the stdlib:
https://github.com/python/cpython/issues/112713
It also has a PR:
https://github.com/python/cpython/pull/112714
But even if that get's merged soon, I don't think it will be backported to
existing Python versions, so supporting this in the near future (i.e. next
Django version) it would mean vendoring parts of `SimpleCookie` again.
I'll try to figure out what parts exactly in the next days or weeks, since
even if this does not make it in Django soon, we'll need to monkeypatch it
in our project somehow.
> Should we mark Django cookies as "partitioned"?
I think it should be opt-in, i.e. a settings flag for session cookie and
CSRF cookie (similar to Secure and Httponly), and a keyword argument for
`set_cookie()`.
> Is it only an issue for session cookies? etc.
No, this will affect at least session cookie and CSRF cookie, plus
possibly custom cookies.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Alex Gaynor (added)
* resolution: needsinfo =>
* status: closed => new
* component: CSRF => HTTP handling
* stage: Unreviewed => Accepted
Comment:
Thanks! Tentatively accepted.
> But even if that get's merged soon, I don't think it will be backported
to existing Python versions, so supporting this in the near future (i.e.
next Django version) it would mean vendoring parts of `SimpleCookie`
again.
That's unfortunate, here be dragons ...
> I'll try to figure out what parts exactly in the next days or weeks,
since even if this does not make it in Django soon ...
Much appreciated.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Michael Wheeler):
I wonder if it would be possible to follow a similar approach to the one
that was used to add support for `SameSite`
https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a.
Not sure if anyone was already planning on tackling this, but if not I'd
be curious about taking it on as a first time contributor.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Terence Honles):
Replying to [comment:9 Michael Wheeler]:
> I wonder if it would be possible to follow a similar approach to the one
that was used to add support for `SameSite`
https://github.com/django/django/commit/9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a.
>
> Not sure if anyone was already planning on tackling this, but if not I'd
be curious about taking it on as a first time contributor.
Thanks for the pointer here. I was actually going to write a WSGI
middleware, but following what was done for `SameSite` I used the
following:
middleware.py:
{{{
...
from http import cookies
...
cookies.Morsel._flags.add("partitioned")
cookies.Morsel._reserved.setdefault("partitioned", "Partitioned")
class CookiePartitioningMiddleware(MiddlewareMixin):
def process_response(
self, request: HttpRequest, response: HttpResponseBase
) -> HttpResponseBase:
for name in (
getattr(settings, f"{prefix}_COOKIE_NAME")
for prefix in ("CSRF", "SESSION", "LANGUAGE")
if getattr(settings, f"{prefix}_COOKIE_SECURE")
):
if cookie := response.cookies.get(name):
cookie["Partitioned"] = True
return response
}}}
and added the middleware to my application.
Adding and respecing a `${NAME}_COOKIE_PARTITIONED` would make sense for a
PR, but for our use case we want to partition all cookies. It ''may'' also
make sense to make sure `${NAME}_COOKIE_SAMESITE` is `'None'` since that
is [https://developers.google.com/privacy-
sandbox/3pcd/chips#:~:text=Note%3A%20Adding%20SameSite%3DNone%20will%20allow%20your%20cookie%20to%20be%20sent%20in%20third%2Dparty%20contexts%20where%20the%20Partitioned%20attribute%20is%20not%20supported%2C%20as%20long%20as%20third%2Dparty%20cookies%20are%20allowed%20in%20browser%20settings.
recommended for browsers which don't support partitioning via CHIPS]
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:10 Terence Honles]:
attr only gets set on the csrftoken.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Oleg Korsak | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 4.1
Severity: Normal | Resolution:
Keywords: chips, cookies, | Triage Stage: Accepted
csrf, partitioned |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Colin Murtaugh (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/34613#comment:12>