CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-06 15:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Never set SameSite=None without HTTPS

Browse Source
This commit is contained in:
Raphael Michel
2019-12-18 19:03:17 +01:00
parent 4597cb9849
commit 982fb0149d
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/pretix/helpers/cookies.py
View File

@@ -6,6 +6,13 @@ from django.conf import settings
def set_cookie_without_samesite(request, response, key, *args, **kwargs):
assert 'samesite' not in kwargs
response.set_cookie(key, *args, **kwargs)
is_secure = (
kwargs.get('secure', False) or request.scheme == 'https' or
settings.SITE_URL.startswith('https://')
)
if not is_secure:
# https://www.chromestatus.com/feature/5633521622188032
return
if should_send_same_site_none(request.headers.get('User-Agent', '')):
# Chromium is rolling out SameSite=Lax as a default
# https://www.chromestatus.com/feature/5088147346030592
@@ -15,10 +22,7 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
response.cookies[key]['samesite'] = 'None'
# This will only work on secure cookies as well
# https://www.chromestatus.com/feature/5633521622188032
response.cookies[key]['secure'] = (
kwargs.get('secure', False) or request.scheme == 'https' or
settings.SITE_URL.startswith('https://')
)
response.cookies[key]['secure'] = is_secure
# Based on https://www.chromium.org/updates/same-site/incompatible-clients