Set cookies with SameSite=None if possible (#1509)

src/pretix/presale/views/__init__.py

@@ -16,6 +16,7 @@ from pretix.base.models import (
     CartPosition, InvoiceAddress, OrderPosition, QuestionAnswer,
 )
 from pretix.base.services.cart import get_fees
+from pretix.helpers.cookies import set_cookie_without_samesite
 from pretix.multidomain.urlreverse import eventreverse
 from pretix.presale.signals import question_form_fields
 
@@ -305,9 +306,15 @@ def iframe_entry_view_wrapper(view_func):
             with language(locale):
                 resp = view_func(request, *args, **kwargs)
             max_age = 10 * 365 * 24 * 60 * 60
-            resp.set_cookie(settings.LANGUAGE_COOKIE_NAME, locale, max_age=max_age,
-                            expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime('%a, %d-%b-%Y %H:%M:%S GMT'),
-                            domain=settings.SESSION_COOKIE_DOMAIN)
+            set_cookie_without_samesite(
+                request,
+                resp,
+                settings.LANGUAGE_COOKIE_NAME,
+                locale,
+                max_age=max_age,
+                expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime('%a, %d-%b-%Y %H:%M:%S GMT'),
+                domain=settings.SESSION_COOKIE_DOMAIN
+            )
             return resp
 
         resp = view_func(request, *args, **kwargs)

src/pretix/presale/views/locale.py

@@ -5,6 +5,8 @@ from django.http import HttpResponseRedirect
 from django.utils.http import is_safe_url
 from django.views.generic import View
 
+from pretix.helpers.cookies import set_cookie_without_samesite
+
 from .robots import NoSearchIndexViewMixin
 
 
@@ -19,9 +21,14 @@ class LocaleSet(NoSearchIndexViewMixin, View):
         if locale in [lc for lc, ll in settings.LANGUAGES]:
 
             max_age = 10 * 365 * 24 * 60 * 60
-            resp.set_cookie(settings.LANGUAGE_COOKIE_NAME, locale, max_age=max_age,
-                            expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime(
-                                '%a, %d-%b-%Y %H:%M:%S GMT'),
-                            domain=settings.SESSION_COOKIE_DOMAIN)
+            set_cookie_without_samesite(
+                request, resp,
+                settings.LANGUAGE_COOKIE_NAME,
+                locale,
+                max_age=max_age,
+                expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime(
+                    '%a, %d-%b-%Y %H:%M:%S GMT'),
+                domain=settings.SESSION_COOKIE_DOMAIN
+            )
 
         return resp