allow samesite in cookies #4224
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
psf-chronographer
bot
added
the
bot:chronographer:provided
|
Hmm. Guys, what are your opinions? |
|
I'm happy with either, just let me know and I'll update the PR. |
|
But given that chrome showing a warning for any cookie not including |
Codecov Report
@@ Coverage Diff @@
## master #4224 +/- ##
==========================================
- Coverage 97.58% 97.57% -0.02%
==========================================
Files 43 43
Lines 8853 8857 +4
Branches 1385 1387 +2
==========================================
+ Hits 8639 8642 +3
Misses 92 92
- Partials 122 123 +1
Continue to review full report at Codecov.
|
asvetlov
requested changes
Oct 18, 2019
There was a problem hiding this comment.
Ok, let's do monkey-patching if the lack of SameSite is considered as a security issue.
Please mention the argument in docs (http://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.StreamResponse.set_cookie)
Use 3.7 for .. versionadded::
aiohttp/web_response.py
Outdated
| @@ -42,6 +42,12 @@ | |||
| BaseClass = collections.abc.MutableMapping | |||
|
|
|||
|
|
|||
| if 'samesite' not in Morsel._reserved: # type: ignore | |||
There was a problem hiding this comment.
Use helpers.PY_38 check here instead if Morsel._reserved lookup.
It makes the intention explicitly clear and allows dropping the patch after dropping Python 3.7 support.
asvetlov
requested changes
Oct 18, 2019
|
Done, with is that okay? |
asvetlov
requested changes
Oct 25, 2019
docs/web_reference.rst
Outdated
| @@ -702,6 +703,14 @@ StreamResponse | |||
| specification the cookie | |||
| conforms. (Optional, *version=1* by default) | |||
|
|
|||
| .. versionadded:: 3.7 | |||
There was a problem hiding this comment.
Please move the directive inside :param: block, see web.Response zlib_executor_size for inspiration.
|
@samuelcolvin ping |
|
done, sorry for delay. |
asvetlov
approved these changes
Oct 29, 2019
asvetlov
pushed a commit
that referenced
this pull request
Oct 29, 2019
(cherry picked from commit 1220613) Co-authored-by: Samuel Colvin <s@muelcolvin.com>
|
👌 |
asvetlov
added a commit
that referenced
this pull request
Oct 29, 2019
|
@asvetlov, I wonder - is this going to be released anytime soon? |
|
Very important security consideration. Should consider a new release just to get this feature out the door imo. I'm tempted to install from master. Any commits in master I should be afraid of at this point? |
|
@asvetlov - Is there anything blocking the 3.7 release? Chrome has already started rolling out the samesite update to a selected population. |
|
This pull request has been mentioned on aio-libs. There might be relevant details there: https://aio-libs.discourse.group/t/patch-samesite-cookies-to-minor-version/111/1 |
asvetlov
pushed a commit
that referenced
this pull request
Oct 16, 2020
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Oct 24, 2020
This fixes py-yarl in pkgsrc being too new for py-aiohttp. 3.7.0 (2020-10-24) ================== Features -------- - Response headers are now prepared prior to running ``on_response_prepare`` hooks, directly before headers are sent to the client. `#1958 <https://github.com/aio-libs/aiohttp/issues/1958>`_ - Add a ``quote_cookie`` option to ``CookieJar``, a way to skip quotation wrapping of cookies containing special characters. `#2571 <https://github.com/aio-libs/aiohttp/issues/2571>`_ - Call ``AccessLogger.log`` with the current exception available from ``sys.exc_info()``. `#3557 <https://github.com/aio-libs/aiohttp/issues/3557>`_ - `web.UrlDispatcher.add_routes` and `web.Application.add_routes` return a list of registered `AbstractRoute` instances. `AbstractRouteDef.register` (and all subclasses) return a list of registered resources registered resource. `#3866 <https://github.com/aio-libs/aiohttp/issues/3866>`_ - Added properties of default ClientSession params to ClientSession class so it is available for introspection `#3882 <https://github.com/aio-libs/aiohttp/issues/3882>`_ - Don't cancel web handler on peer disconnection, raise `OSError` on reading/writing instead. `#4080 <https://github.com/aio-libs/aiohttp/issues/4080>`_ - Implement BaseRequest.get_extra_info() to access a protocol transports' extra info. `#4189 <https://github.com/aio-libs/aiohttp/issues/4189>`_ - Added `ClientSession.timeout` property. `#4191 <https://github.com/aio-libs/aiohttp/issues/4191>`_ - allow use of SameSite in cookies. `#4224 <https://github.com/aio-libs/aiohttp/issues/4224>`_ - Use ``loop.sendfile()`` instead of custom implementation if available. `#4269 <https://github.com/aio-libs/aiohttp/issues/4269>`_ - Apply SO_REUSEADDR to test server's socket. `#4393 <https://github.com/aio-libs/aiohttp/issues/4393>`_ - Use .raw_host instead of slower .host in client API `#4402 <https://github.com/aio-libs/aiohttp/issues/4402>`_ - Allow configuring the buffer size of input stream by passing ``read_bufsize`` argument. `#4453 <https://github.com/aio-libs/aiohttp/issues/4453>`_ - Pass tests on Python 3.8 for Windows. `#4513 <https://github.com/aio-libs/aiohttp/issues/4513>`_ - Add `method` and `url` attributes to `TraceRequestChunkSentParams` and `TraceResponseChunkReceivedParams`. `#4674 <https://github.com/aio-libs/aiohttp/issues/4674>`_ - Add ClientResponse.ok property for checking status code under 400. `#4711 <https://github.com/aio-libs/aiohttp/issues/4711>`_ - Don't ceil timeouts that are smaller than 5 seconds. `#4850 <https://github.com/aio-libs/aiohttp/issues/4850>`_ - TCPSite now listens by default on all interfaces instead of just IPv4 when `None` is passed in as the host. `#4894 <https://github.com/aio-libs/aiohttp/issues/4894>`_ - Bump ``http_parser`` to 2.9.4 `#5070 <https://github.com/aio-libs/aiohttp/issues/5070>`_ Bugfixes -------- - Fix keepalive connections not being closed in time `#3296 <https://github.com/aio-libs/aiohttp/issues/3296>`_ - Fix failed websocket handshake leaving connection hanging. `#3380 <https://github.com/aio-libs/aiohttp/issues/3380>`_ - Fix tasks cancellation order on exit. The run_app task needs to be cancelled first for cleanup hooks to run with all tasks intact. `#3805 <https://github.com/aio-libs/aiohttp/issues/3805>`_ - Don't start heartbeat until _writer is set `#4062 <https://github.com/aio-libs/aiohttp/issues/4062>`_ - Fix handling of multipart file uploads without a content type. `#4089 <https://github.com/aio-libs/aiohttp/issues/4089>`_ - Preserve view handler function attributes across middlewares `#4174 <https://github.com/aio-libs/aiohttp/issues/4174>`_ - Fix the string representation of ``ServerDisconnectedError``. `#4175 <https://github.com/aio-libs/aiohttp/issues/4175>`_ - Raising RuntimeError when trying to get encoding from not read body `#4214 <https://github.com/aio-libs/aiohttp/issues/4214>`_ - Remove warning messages from noop. `#4282 <https://github.com/aio-libs/aiohttp/issues/4282>`_ - Raise ClientPayloadError if FormData re-processed. `#4345 <https://github.com/aio-libs/aiohttp/issues/4345>`_ - Fix a warning about unfinished task in ``web_protocol.py`` `#4408 <https://github.com/aio-libs/aiohttp/issues/4408>`_ - Fixed 'deflate' compression. According to RFC 2616 now. `#4506 <https://github.com/aio-libs/aiohttp/issues/4506>`_ - Fixed OverflowError on platforms with 32-bit time_t `#4515 <https://github.com/aio-libs/aiohttp/issues/4515>`_ - Fixed request.body_exists returns wrong value for methods without body. `#4528 <https://github.com/aio-libs/aiohttp/issues/4528>`_ - Fix connecting to link-local IPv6 addresses. `#4554 <https://github.com/aio-libs/aiohttp/issues/4554>`_ - Fix a problem with connection waiters that are never awaited. `#4562 <https://github.com/aio-libs/aiohttp/issues/4562>`_ - Always make sure transport is not closing before reuse a connection. Reuse a protocol based on keepalive in headers is unreliable. For example, uWSGI will not support keepalive even it serves a HTTP 1.1 request, except explicitly configure uWSGI with a ``--http-keepalive`` option. Servers designed like uWSGI could cause aiohttp intermittently raise a ConnectionResetException when the protocol poll runs out and some protocol is reused. `#4587 <https://github.com/aio-libs/aiohttp/issues/4587>`_ - Handle the last CRLF correctly even if it is received via separate TCP segment. `#4630 <https://github.com/aio-libs/aiohttp/issues/4630>`_ - Fix the register_resource function to validate route name before splitting it so that route name can include python keywords. `#4691 <https://github.com/aio-libs/aiohttp/issues/4691>`_ - Improve typing annotations for ``web.Request``, ``aiohttp.ClientResponse`` and ``multipart`` module. `#4736 <https://github.com/aio-libs/aiohttp/issues/4736>`_ - Fix resolver task is not awaited when connector is cancelled `#4795 <https://github.com/aio-libs/aiohttp/issues/4795>`_ - Fix a bug "Aiohttp doesn't return any error on invalid request methods" `#4798 <https://github.com/aio-libs/aiohttp/issues/4798>`_ - Fix HEAD requests for static content. `#4809 <https://github.com/aio-libs/aiohttp/issues/4809>`_ - Fix incorrect size calculation for memoryview `#4890 <https://github.com/aio-libs/aiohttp/issues/4890>`_ - Add HTTPMove to _all__. `#4897 <https://github.com/aio-libs/aiohttp/issues/4897>`_ - Fixed the type annotations in the ``tracing`` module. `#4912 <https://github.com/aio-libs/aiohttp/issues/4912>`_ - Fix typing for multipart ``__aiter__``. `#4931 <https://github.com/aio-libs/aiohttp/issues/4931>`_ - Fix for race condition on connections in BaseConnector that leads to exceeding the connection limit. `#4936 <https://github.com/aio-libs/aiohttp/issues/4936>`_ - Add forced UTF-8 encoding for ``application/rdap+json`` responses. `#4938 <https://github.com/aio-libs/aiohttp/issues/4938>`_ - Fix inconsistency between Python and C http request parsers in parsing pct-encoded URL. `#4972 <https://github.com/aio-libs/aiohttp/issues/4972>`_ - Fix connection closing issue in HEAD request. `#5012 <https://github.com/aio-libs/aiohttp/issues/5012>`_ - Fix type hint on BaseRunner.addresses (from ``List[str]`` to ``List[Any]``) `#5086 <https://github.com/aio-libs/aiohttp/issues/5086>`_ - Make `web.run_app()` more responsive to Ctrl+C on Windows for Python < 3.8. It slightly increases CPU load as a side effect. `#5098 <https://github.com/aio-libs/aiohttp/issues/5098>`_ Improved Documentation ---------------------- - Fix example code in client quick-start `#3376 <https://github.com/aio-libs/aiohttp/issues/3376>`_ - Updated the docs so there is no contradiction in ``ttl_dns_cache`` default value `#3512 <https://github.com/aio-libs/aiohttp/issues/3512>`_ - Add 'Deploy with SSL' to docs. `#4201 <https://github.com/aio-libs/aiohttp/issues/4201>`_ - Change typing of the secure argument on StreamResponse.set_cookie from ``Optional[str]`` to ``Optional[bool]`` `#4204 <https://github.com/aio-libs/aiohttp/issues/4204>`_ - Changes ``ttl_dns_cache`` type from int to Optional[int]. `#4270 <https://github.com/aio-libs/aiohttp/issues/4270>`_ - Simplify README hello word example and add a documentation page for people coming from requests. `#4272 <https://github.com/aio-libs/aiohttp/issues/4272>`_ - Improve some code examples in the documentation involving websockets and starting a simple HTTP site with an AppRunner. `#4285 <https://github.com/aio-libs/aiohttp/issues/4285>`_ - Fix typo in code example in Multipart docs `#4312 <https://github.com/aio-libs/aiohttp/issues/4312>`_ - Fix code example in Multipart section. `#4314 <https://github.com/aio-libs/aiohttp/issues/4314>`_ - Update contributing guide so new contributors read the most recent version of that guide. Update command used to create test coverage reporting. `#4810 <https://github.com/aio-libs/aiohttp/issues/4810>`_ - Spelling: Change "canonize" to "canonicalize". `#4986 <https://github.com/aio-libs/aiohttp/issues/4986>`_ - Add ``aiohttp-sse-client`` library to third party usage list. `#5084 <https://github.com/aio-libs/aiohttp/issues/5084>`_ Misc ---- - `#2856 <https://github.com/aio-libs/aiohttp/issues/2856>`_, `#4218 <https://github.com/aio-libs/aiohttp/issues/4218>`_, `#4250 <https://github.com/aio-libs/aiohttp/issues/4250>`_
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What do these changes do?
Allow
samesiteto be allowed in cookeis, see also:Are there changes in behavior for the user?
no, just new
samesite=Nonekeyword argument toset_cookie()Related issue number
Checklist
CONTRIBUTORS.txtCHANGESfolder<issue_id>.<type>for example (588.bugfix)issue_idchange it to the pr id after creating the pr.feature: Signifying a new feature..bugfix: Signifying a bug fix..doc: Signifying a documentation improvement..removal: Signifying a deprecation or removal of public API..misc: A ticket has been closed, but it is not of interest to users.