Support the SameSite field in Cookies

[dstufft]

See https://tools.ietf.org/html/draft-west-first-party-cookies-07 and https://www.chromestatus.com/feature/4672634709082112 for more information.

This is shipping in Chrome since version 51, Opera since 39, positive support in Firefox.

[dstufft]

If this is something WebOb is interested in having, let me know and I can write tests for it.

[digitalresistor]

I added an open ticket here: #246

[dstufft]

hurf durf, I am good at computer.

So I guess the question is, are you happy shipping a draft or do you want to wait until the RFC is finalized? If you're OK shipping a draft, is there any sort of remark we should make about it being a draft?

[digitalresistor]

Hit comment too soon:

So yes I am interested in having it in WebOb, but in a capacity whereby it is optional, and marked as a draft spec. I tend to avoid adding draft's to libraries that are widely used because they can change too often and could potentially break things in the future.

If we do add it, it should be commented as such, and should link back to the draft version that is implemented. We should also add a way to verify the values passed so that cookies sent are valid, and you can't set SameSite to an invalid value.

If added to make_cookie() it should also be exposed in the CookieProfile, so that if you use the newer API for handling cookies within WebOb you get access to the same capabilities as using the set_cookie() API.

[digitalresistor]

I would also want to add a page to documentation that documents what if any draft specs are implemented.

[dstufft]

This now has tests and was added to CookieProfile and invalid values raise a ValueError instead of silently working.

I still need to surface the documentation you wanted, but I'm not sure where you want the comment that this is a draft and the link to be put. Looking at the documentation, I'd guess you want it as part of the docstrings in the relevant methods where the samesite kwarg has been added, is that correct?

[digitalresistor]

I think this is a new page that should be added to the docs.

There are some other patches that have been languishing because I tend to not want to include anything that is not official or complete (especially RFC wise), because it can become a maintenance nightmare, but at the same time I would like to include them in a future release because they allow for some neat features.

For example: #180 (although it needs some more work to be functional within WebOb...)

I'd like it documented in the doc string too, of course, but a seperate page named "Experimental" or something along those lines that I can point people to would be fantastic.

[digitalresistor]

Closing for #316