[Django] #27863: Implement "SameSite" flag for session cookies
Django
--------------------------------------------+------------------------
Reporter: Alex Gaynor | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: 1.10
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
SameSite is a mechanism for telling browsers not to send a cookie on
requests with a different origin. It's not yet widely supported to the
point of being the only CSRF protection (http://caniuse.com/#feat=same-
site-cookie-attribute), but at 50% global deployment, it'd be very useful
for Defense in Depth.
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
I believe simply adding `SameSite=lax` to the session cookie is all that'd
be required to get this protection, and I don't think there'd be any
backwards compatibility concerns (<---- almost certainly not this simple).
--
Ticket URL: <https://code.djangoproject.com/ticket/27863>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Alex Gaynor | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: 1.10
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Alex Gaynor):
Note: this requires a change to the stdlib `cookies` module:
https://github.com/python/cpython/pull/214 I suspect with some hackery
this can be worked around in Django though.
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:1>
Django
Reporter: Alex Gaynor | Owner: Paweł
| Krawczyk
Type: New feature | Status: assigned
Component: contrib.sessions | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paweł Krawczyk):
* owner: nobody => Paweł Krawczyk
* status: new => assigned
Comment:
This can be implemented in HttpResponse.set_cookie() alone. I have just
sent a pull-request on GitHub for that.
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:2>
Django
Reporter: Alex Gaynor | Owner: Paweł
| Krawczyk
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paweł Krawczyk):
* has_patch: 0 => 1
Comment:
PR https://github.com/django/django/pull/8380
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:3>
Django
Reporter: Alex Gaynor | Owner: Paweł
| Krawczyk
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paweł Krawczyk):
* version: 1.10 => master
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:4>
Django
-------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Paweł Krawczyk
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* needs_docs: 0 => 1
* component: contrib.sessions => HTTP handling
* needs_tests: 0 => 1
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:5>
Django
-------------------------------+--------------------------------------
Reporter: Alex Gaynor | Owner: shangdahao
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1
Changes (by shangdahao):
* owner: Paweł Krawczyk => shangdahao
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:6>
Django
-------------------------------+------------------------------------
Reporter: Alex Gaynor | Owner: (none)
Type: New feature | Status: new
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1
Changes (by hui shang):
* status: assigned => new
* owner: hui shang => (none)
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:7>
Django
-------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Paweł Krawczyk
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* needs_docs: 1 => 0
* needs_tests: 1 => 0
Comment:
[https://github.com/django/django/pull/9860 New PR] (still needs some
work)
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:6>
Django
-------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Paweł Krawczyk
Component: HTTP handling | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a" 9a56b4b1]:
{{{
#!CommitTicketReference repository=""
revision="9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a"
Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:7>