gh-112713 : Add support for 'partitioned' attribute in http.cookies#112714
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
| The attribute :attr:`partitioned` indicates to user agents that these | ||
| cross-site cookies *should* only be available in the same top-level context | ||
| that the cookie was first set in. For this to be accepted by the user agent, | ||
| you **must** also set both ``Secure`` and ``Path=/``. |
There was a problem hiding this comment.
I updated the wording here to clarify that Secure is required... but the CHIPS spec doesn't explicitly say anything about Path= though Path=/ appears in all of its examples. What wording should be used regarding Path, I'm not sure how I've phrased this is wholly accurate.
There was a problem hiding this comment.
Per privacycg/CHIPS#49, Path=/ is not needed. I'm going to push an update to this PR shortly.
|
I'm leaving this as a Draft PR as whether or not this is desirable isn't settled - it is not yet a standard. We normally wait until something sees actual accepted adoption. |
|
Understood that CHIPS is a draft and that it probably makes sense to wait until it's ratified before adding to the stdlib. My understanding from reading the RFCs is that it has tentative support from Mozilla and Apple, so hopefully it will be mergeable whenever the wheels of the working groups turn! :) I want to address this comment from #112713 by @gpshead:
We are planning to provide a custom patch which does something like this (figuratively): original_morsel_output = Cookie.Morsel.output
def patched_morsel_output(
self: _MorselType,
attrs: Optional[List[str]] = None,
header: str = "Set-Cookie:",
):
cookie_str = original_morsel_output(self, attrs, header)
if "samesite=none" in cookie_str.lower():
cookie_str += "; Partitioned"
return cookie_str
Cookie.Morsel.output = patched_morsel_outputIt's not ideal, but gives us space to also extend the stdlib in other ways since we'll be importing this instead of |
|
@giles-v Please note that discussions on PRs should be about the implementation; wider discussion about the request itself happens on the issue or on python-ideas. |
|
This has missed the beta window, but I think an argument could be made to core-devs and RM on discuss that this change is useful to deal with an external standard. (I don’t have the time to be the one to do that) We’ve had such a policy for changes to mimetypes for example. On the other hand, this is not a simple addition to a data dictionary, but a code change which we would not backport to stable branches, so the reply could be negative. (Thanks for the gardening picnixz. GPS added the label, not I) |
I would be glad to support such an argument if it's public; given the timeline of Google's CHIPS adoption, waiting for the next release is going to be onerous for users. As someone who has not engaged with the Python community before however I don't think I have any standing to drive a discussion like that either. |
In this case, this could be categorized as type-security/bug fix (bugfixes would get backported to 3.12 and security fixes until 3.8) cc @Yhg1s |
|
I think arguing for this feature as a security fix would go too far. |
|
Thanks for the review @merwok -- are you able to merge also? |
|
I wanted a second review, not being an expert on the cookie module. Thanks gps! |
|
I was checking https://docs.python.org/3/whatsnew/3.14.html#http but couldn't find a mention of this change. Is it actually missing from the changelog or should I be looking for it in a different place? |
python/cpython#112714 Couldn't find a related entry in https://docs.python.org/3/whatsnew/3.14.html#http
It's not mentioned in What's New, but it is in the changelog: https://docs.python.org/3.14/whatsnew/changelog.html#id140 |
python/cpython#112714 Couldn't find a related entry in https://docs.python.org/3/whatsnew/3.14.html#http
python/cpython#112714 Couldn't find a related entry in https://docs.python.org/3/whatsnew/3.14.html#http
Fixes #112713.
This PR adds support for the new
Partitionedattribute in the Morsel object inhttp.cookies.📚 Documentation preview 📚: https://cpython-previews--112714.org.readthedocs.build/