Set cookies with SameSite=None if possible (#1509)

2026-05-06 15:24:02 +00:00 · 2019-12-03 14:50:18 +01:00
parent 098b7363e6
commit d46278f04f
5 changed files with 184 additions and 22 deletions
--- a/src/pretix/helpers/cookies.py
+++ b/src/pretix/helpers/cookies.py
@@ -0,0 +1,105 @@
+import re
+
+from django.conf import settings
+
+
+def set_cookie_without_samesite(request, response, key, *args, **kwargs):
+    assert 'samesite' not in kwargs
+    response.set_cookie(key, *args, **kwargs)
+    if should_send_same_site_none(request.headers.get('User-Agent', '')):
+        # Chromium is rolling out SameSite=Lax as a default
+        # https://www.chromestatus.com/feature/5088147346030592
+        # This however breaks all pretix-in-an-iframe things, such as the pretix Widget.
+        # Sadly, this means we need to forcefully set SameSite=None and rely on our other
+        # CSRF protections to be working.
+        response.cookies[key]['samesite'] = 'None'
+        # This will only work on secure cookies as well
+        # https://www.chromestatus.com/feature/5633521622188032
+        response.cookies[key]['secure'] = (
+            kwargs.get('secure', False) or request.scheme == 'https' or
+            settings.SITE_URL.startswith('https://')
+        )
+
+
+# Based on https://www.chromium.org/updates/same-site/incompatible-clients
+# Copyright 2019 Google LLC.
+# SPDX-License-Identifier: Apache-2.0
+
+
+def should_send_same_site_none(useragent):
+    # Don’t send `SameSite=None` to known incompatible clients.
+    return not has_web_kit_same_site_bug(useragent) and not drops_unrecognized_same_site_cookies(useragent)
+
+
+def has_web_kit_same_site_bug(useragent):
+    return is_ios_version(12, useragent) or (
+        is_macosx_version(10, 14, useragent) and (is_safari(useragent) or is_mac_embedded_browser(useragent))
+    )
+
+
+def drops_unrecognized_same_site_cookies(useragent):
+    if is_uc_browser(useragent):
+        return not is_uc_browser_version_at_least(12, 13, 2, useragent)
+    return (
+        is_chromium_based(useragent) and is_chromium_version_at_least(51, useragent) and
+        not is_chromium_version_at_least(67, useragent)
+    )
+
+
+# Regex parsing of User-Agent string. (See note above!)
+RE_CHROMIUM = re.compile(r"Chrom(e|ium)")
+RE_CHROMIUM_VERSION = re.compile(r"Chrom[^ /]+/([0-9]+)[.0-9]* ")
+RE_UC_VERSION = re.compile(r"UCBrowser/([0-9]+)\.([0-9]+)\.([0-9]+)[.0-9]* ")
+RE_IOS_VERSION = re.compile(r"\(iP.+; CPU .*OS ([0-9]+)[_0-9]*.*\) AppleWebKit/")
+RE_MAC_VERSION = re.compile(r"\(Macintosh;.*Mac OS X ([0-9]+)_([0-9]+)[_0-9]*.*\) AppleWebKit/")
+RE_SAFARI = re.compile(r"Version/.* Safari/")
+RE_MAC_EMBEDDED = re.compile(r"^Mozilla/[.0-9]+ \(Macintosh;.*Mac OS X [_0-9]+\) AppleWebKit/[.0-9]+ \(KHTML, "
+                             r"like Gecko\)$")
+
+
+def is_ios_version(major, useragent):
+    m = RE_IOS_VERSION.search(useragent)
+    if not m:
+        return False
+    return m.group(1) == str(major)
+
+
+def is_macosx_version(major, minor, useragent):
+    m = RE_MAC_VERSION.search(useragent)
+    if not m:
+        return False
+
+    return m.group(1) == str(major) and m.group(2) == str(minor)
+
+
+def is_safari(useragent):
+    return RE_SAFARI.search(useragent) and not is_chromium_based(useragent)
+
+
+def is_mac_embedded_browser(useragent):
+    return RE_MAC_EMBEDDED.search(useragent)
+
+
+def is_chromium_based(useragent):
+    return RE_CHROMIUM.search(useragent)
+
+
+def is_chromium_version_at_least(major, useragent):
+    # Extract digits from first capturing group.
+    version = int(RE_CHROMIUM_VERSION.search(useragent).group(1))
+    return version >= major
+
+
+def is_uc_browser(useragent):
+    return 'UCBrowser/' in useragent
+
+
+def is_uc_browser_version_at_least(major, minor, build, useragent):
+    major_version = int(RE_UC_VERSION.search(useragent).group(1))
+    minor_version = int(RE_UC_VERSION.search(useragent).group(2))
+    build_version = int(RE_UC_VERSION.search(useragent).group(3))
+    if major_version != major:
+        return major_version > major
+    if minor_version != minor:
+        return minor_version > minor
+    return build_version >= build
--- a/src/pretix/multidomain/middlewares.py
+++ b/src/pretix/multidomain/middlewares.py
@@ -15,6 +15,7 @@ from django.utils.deprecation import MiddlewareMixin
 from django.utils.http import http_date

 from pretix.base.models import Organizer
+from pretix.helpers.cookies import set_cookie_without_samesite
 from pretix.multidomain.models import KnownDomain

 LOCAL_HOST_NAMES = ('testserver', 'localhost')
@@ -106,13 +107,16 @@ class SessionMiddleware(BaseSessionMiddleware):
                    # Skip session save for 500 responses, refs #3881.
                    if response.status_code != 500:
                        request.session.save()
-                        response.set_cookie(settings.SESSION_COOKIE_NAME,
-                                            request.session.session_key, max_age=max_age,
-                                            expires=expires,
-                                            domain=get_cookie_domain(request),
-                                            path=settings.SESSION_COOKIE_PATH,
-                                            secure=request.scheme == 'https',
-                                            httponly=settings.SESSION_COOKIE_HTTPONLY or None)
+                        set_cookie_without_samesite(
+                            request, response,
+                            settings.SESSION_COOKIE_NAME,
+                            request.session.session_key, max_age=max_age,
+                            expires=expires,
+                            domain=get_cookie_domain(request),
+                            path=settings.SESSION_COOKIE_PATH,
+                            secure=request.scheme == 'https',
+                            httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                        )
        return response


@@ -138,14 +142,16 @@ class CsrfViewMiddleware(BaseCsrfMiddleware):

        # Set the CSRF cookie even if it's already set, so we renew
        # the expiry timer.
-        response.set_cookie(settings.CSRF_COOKIE_NAME,
-                            request.META["CSRF_COOKIE"],
-                            max_age=settings.CSRF_COOKIE_AGE,
-                            domain=get_cookie_domain(request),
-                            path=settings.CSRF_COOKIE_PATH,
-                            secure=request.scheme == 'https',
-                            httponly=settings.CSRF_COOKIE_HTTPONLY
-                            )
+        set_cookie_without_samesite(
+            request, response,
+            settings.CSRF_COOKIE_NAME,
+            request.META["CSRF_COOKIE"],
+            max_age=settings.CSRF_COOKIE_AGE,
+            domain=get_cookie_domain(request),
+            path=settings.CSRF_COOKIE_PATH,
+            secure=request.scheme == 'https',
+            httponly=settings.CSRF_COOKIE_HTTPONLY
+        )
        # Content varies with the CSRF cookie, so set the Vary header.
        patch_vary_headers(response, ('Cookie',))
        response.csrf_processing_done = True
--- a/src/pretix/presale/views/init.py
+++ b/src/pretix/presale/views/init.py
@@ -16,6 +16,7 @@ from pretix.base.models import (
    CartPosition, InvoiceAddress, OrderPosition, QuestionAnswer,
 )
 from pretix.base.services.cart import get_fees
+from pretix.helpers.cookies import set_cookie_without_samesite
 from pretix.multidomain.urlreverse import eventreverse
 from pretix.presale.signals import question_form_fields

@@ -305,9 +306,15 @@ def iframe_entry_view_wrapper(view_func):
            with language(locale):
                resp = view_func(request, *args, **kwargs)
            max_age = 10 * 365 * 24 * 60 * 60
-            resp.set_cookie(settings.LANGUAGE_COOKIE_NAME, locale, max_age=max_age,
-                            expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime('%a, %d-%b-%Y %H:%M:%S GMT'),
-                            domain=settings.SESSION_COOKIE_DOMAIN)
+            set_cookie_without_samesite(
+                request,
+                resp,
+                settings.LANGUAGE_COOKIE_NAME,
+                locale,
+                max_age=max_age,
+                expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime('%a, %d-%b-%Y %H:%M:%S GMT'),
+                domain=settings.SESSION_COOKIE_DOMAIN
+            )
            return resp

        resp = view_func(request, *args, **kwargs)
--- a/src/pretix/presale/views/locale.py
+++ b/src/pretix/presale/views/locale.py
@@ -5,6 +5,8 @@ from django.http import HttpResponseRedirect
 from django.utils.http import is_safe_url
 from django.views.generic import View

+from pretix.helpers.cookies import set_cookie_without_samesite
+
 from .robots import NoSearchIndexViewMixin


@@ -19,9 +21,14 @@ class LocaleSet(NoSearchIndexViewMixin, View):
        if locale in [lc for lc, ll in settings.LANGUAGES]:

            max_age = 10 * 365 * 24 * 60 * 60
-            resp.set_cookie(settings.LANGUAGE_COOKIE_NAME, locale, max_age=max_age,
-                            expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime(
-                                '%a, %d-%b-%Y %H:%M:%S GMT'),
-                            domain=settings.SESSION_COOKIE_DOMAIN)
+            set_cookie_without_samesite(
+                request, resp,
+                settings.LANGUAGE_COOKIE_NAME,
+                locale,
+                max_age=max_age,
+                expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime(
+                    '%a, %d-%b-%Y %H:%M:%S GMT'),
+                domain=settings.SESSION_COOKIE_DOMAIN
+            )

        return resp