CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-04 15:04:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add __Host- prefix to CSRF and session cookie, remove cookie_domain (#3831)

Browse Source 
* Add __Host- prefix to CSRF and session cookie, remove cookie_domain

* Fix tests
This commit is contained in:
Raphael Michel
2024-01-25 09:45:56 +01:00
committed by GitHub
parent dba8e80868
commit 6af2d38a98
6 changed files with 59 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/tests/multidomain/test_middlewares.py
View File

@@ -165,11 +165,10 @@ def test_cookie_domain_on_event_domain(env, client):
@pytest.mark.django_db
def test_cookie_domain_on_main_domain(env, client):
with override_settings(SESSION_COOKIE_DOMAIN='example.com'):
client.post('/mrmcd/2015/cart/add', HTTP_HOST='example.com')
r = client.get('/mrmcd/2015/', HTTP_HOST='example.com')
assert r.client.cookies['pretix_csrftoken']['domain'] == 'example.com'
assert r.client.cookies['pretix_session']['domain'] == 'example.com'
client.post('/mrmcd/2015/cart/add', HTTP_HOST='example.com')
r = client.get('/mrmcd/2015/', HTTP_HOST='example.com')
assert r.client.cookies['pretix_csrftoken']['domain'] == ''
assert r.client.cookies['pretix_session']['domain'] == ''
@pytest.mark.django_db
@@ -200,8 +199,8 @@ def test_cookie_samesite_none(env, client, agent):
client.post('/mrmcd/2015/cart/add', HTTP_HOST='example.com', HTTP_USER_AGENT=agent,
secure=True)
r = client.get('/mrmcd/2015/', HTTP_HOST='example.com', HTTP_USER_AGENT=agent, secure=True)
assert r.client.cookies['pretix_csrftoken']['samesite'] == 'None'
assert r.client.cookies['pretix_session']['samesite'] == 'None'
assert r.client.cookies['__Host-pretix_csrftoken']['samesite'] == 'None'
assert r.client.cookies['__Host-pretix_session']['samesite'] == 'None'
@pytest.mark.django_db
@@ -220,4 +219,4 @@ def test_cookie_samesite_none(env, client, agent):
def test_cookie_samesite_none_only_on_compatible_browsers(env, client, agent):
client.post('/mrmcd/2015/cart/add', HTTP_HOST='example.com', HTTP_USER_AGENT=agent, secure=True)
r = client.get('/mrmcd/2015/', HTTP_HOST='example.com', HTTP_USER_AGENT=agent, secure=True)
assert not r.client.cookies['pretix_csrftoken'].get('samesite')
assert not r.client.cookies['__Host-pretix_csrftoken'].get('samesite')