Set cookies with SameSite=None if possible (#1509)

2026-05-06 15:24:02 +00:00 · 2019-12-03 14:50:18 +01:00
parent 098b7363e6
commit d46278f04f
5 changed files with 184 additions and 22 deletions
--- a/src/pretix/multidomain/middlewares.py
+++ b/src/pretix/multidomain/middlewares.py
@@ -15,6 +15,7 @@ from django.utils.deprecation import MiddlewareMixin
 from django.utils.http import http_date

 from pretix.base.models import Organizer
+from pretix.helpers.cookies import set_cookie_without_samesite
 from pretix.multidomain.models import KnownDomain

 LOCAL_HOST_NAMES = ('testserver', 'localhost')
@@ -106,13 +107,16 @@ class SessionMiddleware(BaseSessionMiddleware):
                    # Skip session save for 500 responses, refs #3881.
                    if response.status_code != 500:
                        request.session.save()
-                        response.set_cookie(settings.SESSION_COOKIE_NAME,
-                                            request.session.session_key, max_age=max_age,
-                                            expires=expires,
-                                            domain=get_cookie_domain(request),
-                                            path=settings.SESSION_COOKIE_PATH,
-                                            secure=request.scheme == 'https',
-                                            httponly=settings.SESSION_COOKIE_HTTPONLY or None)
+                        set_cookie_without_samesite(
+                            request, response,
+                            settings.SESSION_COOKIE_NAME,
+                            request.session.session_key, max_age=max_age,
+                            expires=expires,
+                            domain=get_cookie_domain(request),
+                            path=settings.SESSION_COOKIE_PATH,
+                            secure=request.scheme == 'https',
+                            httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                        )
        return response


@@ -138,14 +142,16 @@ class CsrfViewMiddleware(BaseCsrfMiddleware):

        # Set the CSRF cookie even if it's already set, so we renew
        # the expiry timer.
-        response.set_cookie(settings.CSRF_COOKIE_NAME,
-                            request.META["CSRF_COOKIE"],
-                            max_age=settings.CSRF_COOKIE_AGE,
-                            domain=get_cookie_domain(request),
-                            path=settings.CSRF_COOKIE_PATH,
-                            secure=request.scheme == 'https',
-                            httponly=settings.CSRF_COOKIE_HTTPONLY
-                            )
+        set_cookie_without_samesite(
+            request, response,
+            settings.CSRF_COOKIE_NAME,
+            request.META["CSRF_COOKIE"],
+            max_age=settings.CSRF_COOKIE_AGE,
+            domain=get_cookie_domain(request),
+            path=settings.CSRF_COOKIE_PATH,
+            secure=request.scheme == 'https',
+            httponly=settings.CSRF_COOKIE_HTTPONLY
+        )
        # Content varies with the CSRF cookie, so set the Vary header.
        patch_vary_headers(response, ('Cookie',))
        response.csrf_processing_done = True