Improve cookie SameSite/secure handling #700
Merged
Commits on Mar 22, 2021
-
Improve cookie SameSite/secure handling
Add new "samesite" option in [server] section to configure SameSite header for cookies. As a fallback, use local.host to detect URL scheme and set SameSite to "None" (https) or "Lax" (http) accordingly. Set `Secure` attribute in response header so that cookies will only be sent when requesting content from `https://` URLs. Fixes: ``` Cookie “isso-[id]” will be soon rejected because it has the “SameSite” attribute set to “None” ``` See: https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite and https://werkzeug.palletsprojects.com/en/1.0.x/http/#werkzeug.http.dump_cookie
-
tests: Test host-dependent secure/insecure cookies
Ensure that: > Set `Secure` attribute in response header so that cookies > will only be sent when requesting content from `https://` > URLs. And also: > Respect samesite conf item in [server] section. > As a fallback, use local.host to detect URL scheme and set > SameSite to "None" (https) or "Lax" (http) accordingly.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.