Improve cookie SameSite/secure handling

[ix5]

Add new samesite option in [server] section to configure SameSite header for cookies.

As a fallback, use local.host to detect URL scheme and set SameSite to None (https) or Lax (http) accordingly.

Set Secure attribute in response header so that cookies will only be sent when requesting content from https://
URLs.

Fixes:

Cookie “isso-[id]” will be soon rejected because it has the “SameSite” attribute set to “None”

(werkzeug sets SameSite to None by default anyway)

NOTE: This change might break quite a few local test setups!

Discussion: #682

See: https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
and https://werkzeug.palletsprojects.com/en/1.0.x/http/#werkzeug.http.dump_cookie

---

Sidenote:

• Setting isso_host_script should somehow be unified instead of duplicated in every function. local.host is only available per-request though, so there cannot be a class variable such as self.isso_host_script.

[ix5]

Will need to write tests for this.

[ix5]

Tagging @Lucas-C (because of #639), @Konzertheld (because of #558) in case any proxy configurations I haven't thought about ruin the day.

I also hadn't thought too much about what happens when people host isso under a subfolder, e.g. https://mysite.com/isso, but this PR only checks for URL scheme and nothing more.

[ix5]

Added tests

nosetests --with-doctest --with-coverage --cover-package=isso --cover-html isso/
.................................................................................
Name                        Stmts   Miss  Cover
-----------------------------------------------
isso/__init__.py              164     61    63%
isso/config.py                 77     11    86%
isso/core.py                   68     20    71%
isso/db/__init__.py            66      6    91%
isso/db/comments.py           135     20    85%
isso/db/preferences.py         17      0   100%
isso/db/spam.py                36      0   100%
isso/db/threads.py             15      1    93%
isso/dispatch.py               39     23    41%
isso/ext/__init__.py           10      0   100%
isso/ext/notifications.py     150    100    33%
isso/migrate.py               201     27    87%
isso/run.py                     5      0   100%
isso/utils/__init__.py         75     14    81%
isso/utils/hash.py             67      8    88%
isso/utils/html.py             50      1    98%
isso/utils/http.py             39     25    36%
isso/utils/parse.py            43      2    95%
isso/views/__init__.py         36      8    78%
isso/views/comments.py        468     95    80%
isso/wsgi.py                  103     26    75%
-----------------------------------------------
TOTAL                        1864    448    76%
----------------------------------------------------------------------
Ran 81 tests in 5.199s

OK

Note to self: Still need to set SameSite=Strict for http-only requests.

[Lucas-C]

The PR code & tests look good to me. Good job!

However I am a bit worried about "hardcoding" SameSite=None for all HTTPS endpoints:
wouldn't some users want to set it to Strict?

While I agree that this should be the default behaviour,
a suggestion in the discussion at #682 was to make it optionnaly configurable,
and that sounds like a good idea to me.

[ix5]

I've added a config option as suggested by @Lucas-C and @stefangehn and updated tests.

[ix5]

@Lucas-C @blatinier rebased, anything else you'd like to see changed or prevents you from merging?

[ix5]

Sweet, thanks!
Just a heads up, tests are currently failing due to flakes complaining about unused imports