bpo-29613: Added support for SameSite cookies

[akash0x53]

Implemented as per draft
https://tools.ietf.org/html/draft-west-first-party-cookies-07

[the-knights-who-say-ni]

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA).

Unfortunately we couldn't find an account corresponding to your GitHub username on bugs.python.org (b.p.o) to verify you have signed the CLA. This is necessary for legal reasons before we can look at your contribution. Please follow these steps to help rectify the issue:

1. If you don't have an account on b.p.o, please create one
2. Make sure your GitHub username is listed in "Your Details" at b.p.o
3. If you have not already done so, please sign the PSF contributor agreement
4. If you just signed the CLA, please wait at least one US business day and then check "Your Details" on bugs.python.org to see if your account has been marked as having signed the CLA (the delay is due to a person having to manually check your signed CLA)
5. Reply here saying you have completed the above steps

Thanks again to your contribution and we look forward to looking at it!

[alex]

Looks good to me! @akash0x53 please go ahead and get the CLA filled out so this can be merged.

(Note for other core devs: I'm not really up to speed on merging procedures, so I'm hoping someone else will do that part)

[Mariatta]

Please update the documentation with this entry at Doc/library/http.cookies.rst

[timgraham]

Include a trailing comma so that if more items are added later, this line doesn't have to be modified again.

[Mariatta]

Please update the docs.

[Mariatta]

Should there be entries in misc/ACKS and/or misc/News for this?
Also, I think this can only go to master branch, correct? So that it doesn't need to be backported?

I can do the merge once CLA is signed.

[alex]

Per the usual feature/bug division, I think this would be considered a feature and only go on master. (This makes me a bit sad, but that's a debate for another time).

Thanks for catching the need for docs!

[Mariatta]

Sounds good. Thanks @alex 😄

[akash0x53]

@Mariatta I pushed the changes, please review. Do I need change in Misc/News?
@alex I signed the CLA but seems it is still not reflected here

[akash0x53]

@the-knights-who-say-ni I signed the CLA and appeared on b.p.o.

[timgraham]

I think a .. versionchanged:: 3.7 annotation is also required in the docs.

The first comment on the PR says, "If you just signed the CLA, please wait at least one US business day".

[Mariatta]

Thanks @timgraham !
Hmm... I'm wondering if it should be .. versionadded:: 3.7 instead of .. versionchanged:: 3.7 ? 😅 Can other core devs confirm which one?

@akash0x53:
Please update Misc/NEWS with the following entry.

- bpo-29613: http.cookies.Morsel now supports SameSite cookies.  Patch by <your name>.

^ ensure the above wraps at 80 chars, and add it under What's New in Python 3.7.0 alpha 1? , and Library subheading :)

Please add yourself to Misc/ACKS (names are sorted alphabetically by last name)

Thanks!

[alex]

Usually versionadded is when the entire API is new, and versionchanged is when the API changed.

[Mariatta]

Please add below this line:

   .. versionchanged:: 3.7
      Added support for :attr:`samesite` attribute.

Thanks @alex for the clarification about this :)

[Mariatta]

@akash0x53 I'm really sorry that I wasn't being clear about this :(

The versionchanged info is to be added after the paragraph about samesite attribute.

Overall the change should look like this:

   ...
   to mitigate some forms of cross-site scripting.

   The attribute :attr:`samesite` specifies that browser is not allowed to send the
   cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
   values for this attribute are ``'Strict'`` and ``'Lax'``.

   .. versionchanged:: 3.7
      Added support for :attr:`samesite` attribute.

   The keys are case-insensitive and their default value is ``''``.

[berkerpeksag]

Unless I'm missing something, currently this will accept any value other than "Lax" and "Strict". I wonder if we should discard invalid values like "SameSite=invalid".

I think this PR needs some RFC reading and research on other programming languages.

[berkerpeksag]

We could use self.subTest() to make the tests shorter: https://docs.python.org/3/library/unittest.html#distinguishing-test-iterations-using-subtests

[berkerpeksag]

Please move this to below the other version directives:

[...]

.. versionchanged:: 3.5
   [...]

.. versionchanged:: 3.7
   [...]

.. versionchanged:: 3.7
   Added support for :attr:`samesite` attribute.

[akash0x53]

So that should be like this, (description of attribute also moved under 3.7)

+   .. versionchanged:: 3.7
+      Added support for :attr:`samesite` attribute.
+
+      The attribute :attr:`samesite` specifies that browser is not allowed to send the
+      cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
+      values for this attribute are "Strict" and "Lax".
+

[berkerpeksag]

Please see the diff below:

+   The attribute :attr:`samesite` specifies that browser is not allowed to send the
+   cookie along with cross-site requests. This help to mitigate CSRF attacks. Valid
+   values for this attribute are "Strict" and "Lax".

    The keys are case-insensitive and their default value is ``''``.
  
    .. versionchanged:: 3.5
       :meth:`~Morsel.__eq__` now takes :attr:`~Morsel.key` and :attr:`~Morsel.value`
       into account.
 
    .. versionchanged:: 3.7
       Attributes :attr:`~Morsel.key`, :attr:`~Morsel.value` and
       :attr:`~Morsel.coded_value` are read-only.  Use :meth:`~Morsel.set` for
       setting them.

+   .. versionchanged:: 3.7
+      Added support for :attr:`samesite` attribute.

[akash0x53]

Hi @Mariatta and @berkerpeksag , I made few changes as per suggestions.

[timgraham]

I think "The samesite attribute" is better English (not sure if the pattern from the previous paragraph is commonly used).
"the browser" (add "the")

[timgraham]

This helps

[timgraham]

for the

[timgraham]

indentation missing

[akash0x53]

Negative. It just an illusion i guess. Perfectly showing in my vim.

[berkerpeksag]

What Tim meant was that the second argument needs to be indented, like:

self.assertEqual(C.output(),
                 'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite=%s' % val)

or even better:

expected = f'Set-Cookie: Customer="WILE_E_COYOTE"; SameSite={val}'
self.assertEqual(C.output(), expected)

[timgraham]

What are the meaning of these values?
Are invalid values rejected? I don't see any code/tests for that.

[akash0x53]

Explaining the values would be out of scope of the Python documentation. I think invalid values should be accepted, after all its browser's job to discard invalid values. Suppose, in future they proposed or added another value for SameSite then we need to make space for that too. By the way i'm not sure about this, let the member decide.

[berkerpeksag]

Tim is correct that we need to add a test for invalid values. However, we need to decide on what we should do with invalid values first. I don't have time to do a research at the moment, but just a note that Firefox doesn't implement SameSite support yet: https://bugzilla.mozilla.org/show_bug.cgi?id=795346

[akash0x53]

You're right. However, chrome implemented SamSite. Right now only Chrome implemented this. https://bugs.chromium.org/p/chromium/issues/detail?id=459154
I checked the test cases they wrote for the same, i didn't find test cases for invalid values.
https://chromium.googlesource.com/chromium/src/+/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/canonical_cookie_unittest.cc#86

I messed with this branch :( Should I open new PR?

[timgraham]

You should be able to fix the branch by rebasing and force pushing.

[timgraham]

Use single quotes for consistency?

[berkerpeksag]

@akash0x53 please fix your branch. There are a lot of unrelated commits.

[alex]

It looks like there a few outstanding issues here still. Do you have the time to fix them up?

[akash0x53]

Yes @alex , I fix it asap.

[kravietz]

@akash0x53 Are we still on track for 3.7 with this change? As Django PR#8380 depends on this one I can help if necessary!

[akash0x53]

I definitely need help on this @kravietz . I checked your PR, it allow to set invalid values to the cookie. If that approach is taken here then this PR good to go. I'm confused whether we should allow invalid values or not 😕

[kravietz]

@akash0x53 Correct, I have updated the Django code to check for an invalid samesite values and ready to help with the Python patch. I guess it might be easier if we could chat in real time and plan next steps - IRC or something?

BTW for Django I've created a work-around the Python dependency by patching the Morsel and SimpleCookie objects.

[Mariatta]

Please rebase.

[alex]

I've rebased this over at #6413, should be ready to merge.