Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add SESSION_COOKIE_PARTITIONED config #5499

Merged
merged 1 commit into from
Nov 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ Unreleased
through the ``MAX_CONTENT_LENGTH`` config. Added
``MAX_FORM_MEMORY_SIZE`` and ``MAX_FORM_PARTS`` config. Added documentation
about resource limits to the security page. :issue:`5625`
- Add support for the ``Partitioned`` cookie attribute (CHIPS), with the
``SESSION_COOKIE_PARTITIONED`` config. :issue`5472`


Version 3.0.3
Expand Down
17 changes: 17 additions & 0 deletions docs/config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,23 @@ The following configuration values are used internally by Flask:

Default: ``False``

.. py:data:: SESSION_COOKIE_PARTITIONED

Browsers will send cookies based on the top-level document's domain, rather
than only the domain of the document setting the cookie. This prevents third
party cookies set in iframes from "leaking" between separate sites.

Browsers are beginning to disallow non-partitioned third party cookies, so
you need to mark your cookies partitioned if you expect them to work in such
embedded situations.

Enabling this implicitly enables :data:`SESSION_COOKIE_SECURE` as well, as
it is only valid when served over HTTPS.

Default: ``False``

.. versionadded:: 3.1

.. py:data:: SESSION_COOKIE_SAMESITE

Restrict how cookies are sent with requests from external sites. Can
Expand Down
1 change: 1 addition & 0 deletions src/flask/app.py
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ class Flask(App):
"SESSION_COOKIE_PATH": None,
"SESSION_COOKIE_HTTPONLY": True,
"SESSION_COOKIE_SECURE": False,
"SESSION_COOKIE_PARTITIONED": False,
"SESSION_COOKIE_SAMESITE": None,
"SESSION_REFRESH_EACH_REQUEST": True,
"MAX_CONTENT_LENGTH": None,
Expand Down
11 changes: 11 additions & 0 deletions src/flask/sessions.py
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,14 @@ def get_cookie_samesite(self, app: Flask) -> str | None:
"""
return app.config["SESSION_COOKIE_SAMESITE"] # type: ignore[no-any-return]

def get_cookie_partitioned(self, app: Flask) -> bool:
"""Returns True if the cookie should be partitioned. By default, uses
the value of :data:`SESSION_COOKIE_PARTITIONED`.

.. versionadded:: 3.1
"""
return app.config["SESSION_COOKIE_PARTITIONED"] # type: ignore[no-any-return]

def get_expiration_time(self, app: Flask, session: SessionMixin) -> datetime | None:
"""A helper method that returns an expiration date for the session
or ``None`` if the session is linked to the browser session. The
Expand Down Expand Up @@ -338,6 +346,7 @@ def save_session(
domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app)
secure = self.get_cookie_secure(app)
partitioned = self.get_cookie_partitioned(app)
samesite = self.get_cookie_samesite(app)
httponly = self.get_cookie_httponly(app)

Expand All @@ -354,6 +363,7 @@ def save_session(
domain=domain,
path=path,
secure=secure,
partitioned=partitioned,
samesite=samesite,
httponly=httponly,
)
Expand All @@ -374,6 +384,7 @@ def save_session(
domain=domain,
path=path,
secure=secure,
partitioned=partitioned,
samesite=samesite,
)
response.vary.add("Cookie")
3 changes: 3 additions & 0 deletions tests/test_basic.py
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,7 @@ def test_session_using_session_settings(app, client):
SESSION_COOKIE_DOMAIN=".example.com",
SESSION_COOKIE_HTTPONLY=False,
SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_PARTITIONED=True,
SESSION_COOKIE_SAMESITE="Lax",
SESSION_COOKIE_PATH="/",
)
Expand All @@ -315,6 +316,7 @@ def clear():
assert "secure" in cookie
assert "httponly" not in cookie
assert "samesite" in cookie
assert "partitioned" in cookie

rv = client.get("/clear", "http://www.example.com:8080/test/")
cookie = rv.headers["set-cookie"].lower()
Expand All @@ -324,6 +326,7 @@ def clear():
assert "path=/" in cookie
assert "secure" in cookie
assert "samesite" in cookie
assert "partitioned" in cookie


def test_session_using_samesite_attribute(app, client):
Expand Down