From 982fb0149dbf93cef1ba92b89d4918070ad61fd6 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Wed, 18 Dec 2019 19:03:17 +0100
Subject: [PATCH] Never set SameSite=None without HTTPS

---
 src/pretix/helpers/cookies.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/pretix/helpers/cookies.py b/src/pretix/helpers/cookies.py
index 0c0fbfc78..da9cb44e7 100644
--- a/src/pretix/helpers/cookies.py
+++ b/src/pretix/helpers/cookies.py
@@ -6,6 +6,13 @@ from django.conf import settings
 def set_cookie_without_samesite(request, response, key, *args, **kwargs):
     assert 'samesite' not in kwargs
     response.set_cookie(key, *args, **kwargs)
+    is_secure = (
+        kwargs.get('secure', False) or request.scheme == 'https' or
+        settings.SITE_URL.startswith('https://')
+    )
+    if not is_secure:
+        # https://www.chromestatus.com/feature/5633521622188032
+        return
     if should_send_same_site_none(request.headers.get('User-Agent', '')):
         # Chromium is rolling out SameSite=Lax as a default
         # https://www.chromestatus.com/feature/5088147346030592
@@ -15,10 +22,7 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
         response.cookies[key]['samesite'] = 'None'
         # This will only work on secure cookies as well
         # https://www.chromestatus.com/feature/5633521622188032
-        response.cookies[key]['secure'] = (
-            kwargs.get('secure', False) or request.scheme == 'https' or
-            settings.SITE_URL.startswith('https://')
-        )
+        response.cookies[key]['secure'] = is_secure
 
 
 # Based on https://www.chromium.org/updates/same-site/incompatible-clients