Projet

Général

Profil

0005-set-CSRF_COOKIE_SAMESITE-to-None-49283.patch

Emmanuel Cazenave, 12 janvier 2021 17:12

Télécharger (1,77 ko)

Voir les différences: 

Subject: [PATCH 5/7] set CSRF_COOKIE_SAMESITE to None (#49283)


 debian/debian_config_common.py      | 2 ++
 hobo/middleware/cookies_samesite.py | 5 ++---
 2 files changed, 4 insertions(+), 3 deletions(-)
debian/debian_config_common.py
266 266 
SESSION_COOKIE_SECURE = True
267 267 
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
268 268 
SESSION_COOKIE_AGE = 36000 # 10h
269 

  		




  
  270
  
    
CSRF_COOKIE_SAMESITE = None

  		




  269
  271
  
    
# Apply sessionNotOnOrAfter on session expiration date

  		




  270
  272
  
    
SESSION_ENGINE = 'mellon.sessions_backends.cached_db'

  		




  271
  273
  
    

  		












  

    
      hobo/middleware/cookies_samesite.py
    
  





  27
  27
  
    
        # this can be removed once django 2.2 is used and settings.

  		




  28
  28
  
    
        # CSRF_COOKIE_SAMESITE & SESSION_COOKIE_SAMESITE can be used.

  		




  29
  29
  
    
        if settings.CSRF_COOKIE_NAME in response.cookies:

  		




  30
  
  
    
            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = (

  		




  31
  
  
    
                getattr(settings, 'CSRF_COOKIE_SAMESITE', 'None').title()

  		




  32
  
  
    
            )

  		




  
  30
  
    
            same_site = settings.CSRF_COOKIE_SAMESITE or 'None'

  		




  
  31
  
    
            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = same_site.title()

  		




  33
  32
  
    
        if settings.SESSION_COOKIE_NAME in response.cookies:

  		




  34
  33
  
    
            response.cookies[settings.SESSION_COOKIE_NAME]['samesite'] = 'None'

  		




  35
  34
  
    
        return response

  		




  36
  
  
    
-