Skip to content

Bugfix accept additional attributes to the delete cookie #1889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
davidism merged 1 commit into from
Oct 14, 2020
Merged

Bugfix accept additional attributes to the delete cookie #1889

davidism merged 1 commit into from
Oct 14, 2020

Conversation

@pgjones
Copy link
Member

@pgjones pgjones commented Jul 14, 2020

Recent browser changes mean that cookies will not be set if they have
the wrong combination of attributes e.g. SameSite none and not
secure. This also affects deletion which itself is a set cookie
command.

Only the SameSite and secure attributes are required, however it seems
more useful to accept all the possibilities for other edge cases.

See also https://chromestatus.com/feature/5633521622188032

See also https://www.thinktecture.com/en/identity/samesite/how-to-delete-samesite-cookies/

@davidism davidism added this to the 2.0.0 milestone Jul 17, 2020
teymour-aldridge
teymour-aldridge reviewed Jul 24, 2020
View reviewed changes
pgjones
pgjones commented Jul 26, 2020
View reviewed changes
@pgjones pgjones mentioned this pull request Aug 10, 2020
Merged
@matush-v
Copy link

matush-v commented Aug 24, 2020

Thoughts on updating the test server's method in this PR as well?

werkzeug/src/werkzeug/test.py

Line 886 in b45ac05

def delete_cookie(self, server_name, key, path="/", domain=None):

The changes to the test server should be identical so it'll be cleaner all together rather than separate PRs.

These changes look good to me and are necessary for pallets/flask#3726.

@pgjones
Copy link
Member Author

pgjones commented Oct 7, 2020

@darcatron thanks, I've done so.

@pgjones pgjones requested a review from davidism October 7, 2020 17:16
davidism
davidism reviewed Oct 7, 2020
View reviewed changes
Copy link
Member

@davidism davidism left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a changelog, otherwise looks fine.

@pgjones pgjones requested a review from davidism October 7, 2020 17:25
@pgjones @davidism
match delete_cookie arguments with set_cookie
7483127 
Recent browser changes mean that cookies will not be set if they have
the wrong combination of attributes e.g. SameSite none and not
secure. This also affects deletion which itself is a set cookie
command.

Only the SameSite and secure attributes are required, however it seems
more useful to accept all the possibilities for other edge cases.

See also https://chromestatus.com/feature/5633521622188032
@davidism davidism merged commit 99790b8 into pallets:master Oct 14, 2020
@pgjones
Copy link
Member Author

pgjones commented Oct 14, 2020

Thanks 🎉

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
@pgjones pgjones deleted the delete_cookie branch June 11, 2022 09:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@davidism davidism davidism approved these changes

+1 more reviewer

@teymour-aldridge teymour-aldridge teymour-aldridge left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@pgjones @matush-v @davidism @teymour-aldridge