https://github.com/python/cpython/commit/9abbb58e3f023555473d9e8b82738ef44077cfa8 commit: 9abbb58e3f023555473d9e8b82738ef44077cfa8 branch: main author: Giles Copp <[email protected]> committer: gpshead <[email protected]> date: 2025-01-24T22:31:52Z summary:
gh-112713 : Add support for 'partitioned' attribute in http.cookies (GH-112714) * Add support for 'partitioned' attribute in http.cookies Co-authored-by: Giles Copp <[email protected]> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]> files: A Misc/NEWS.d/next/Core_and_Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst M Doc/library/http.cookies.rst M Lib/http/cookies.py M Lib/test/test_http_cookies.py diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst index ad37a0fca4742d..eb196320721194 100644 --- a/Doc/library/http.cookies.rst +++ b/Doc/library/http.cookies.rst @@ -142,6 +142,7 @@ Morsel Objects version httponly samesite + partitioned The attribute :attr:`httponly` specifies that the cookie is only transferred in HTTP requests, and is not accessible through JavaScript. This is intended @@ -151,6 +152,19 @@ Morsel Objects send the cookie along with cross-site requests. This helps to mitigate CSRF attacks. Valid values for this attribute are "Strict" and "Lax". + The attribute :attr:`partitioned` indicates to user agents that these + cross-site cookies *should* only be available in the same top-level context + that the cookie was first set in. For this to be accepted by the user agent, + you **must** also set ``Secure``. + + In addition, it is recommended to use the ``__Host`` prefix when setting + partitioned cookies to make them bound to the hostname and not the + registrable domain. Read + `CHIPS (Cookies Having Independent Partitioned State)`_ + for full details and examples. + + .. _CHIPS (Cookies Having Independent Partitioned State): https://github.com/privacycg/CHIPS/blob/main/README.md + The keys are case-insensitive and their default value is ``''``. .. versionchanged:: 3.5 @@ -165,6 +179,9 @@ Morsel Objects .. versionchanged:: 3.8 Added support for the :attr:`samesite` attribute. + .. versionchanged:: 3.14 + Added support for the :attr:`partitioned` attribute. + .. attribute:: Morsel.value diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index 23d5461f86fc23..694b1b09a0567c 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -264,11 +264,12 @@ class Morsel(dict): "httponly" : "HttpOnly", "version" : "Version", "samesite" : "SameSite", + "partitioned": "Partitioned", } _reserved_defaults = dict.fromkeys(_reserved, "") - _flags = {'secure', 'httponly'} + _flags = {'secure', 'httponly', 'partitioned'} def __init__(self): # Set defaults diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index 7b3dc0fdaedc3b..d945de23493f20 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -205,6 +205,14 @@ def test_set_secure_httponly_attrs(self): self.assertEqual(C.output(), 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Secure') + def test_set_secure_httponly_partitioned_attrs(self): + C = cookies.SimpleCookie('Customer="WILE_E_COYOTE"') + C['Customer']['secure'] = True + C['Customer']['httponly'] = True + C['Customer']['partitioned'] = True + self.assertEqual(C.output(), + 'Set-Cookie: Customer="WILE_E_COYOTE"; HttpOnly; Partitioned; Secure') + def test_samesite_attrs(self): samesite_values = ['Strict', 'Lax', 'strict', 'lax'] for val in samesite_values: diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst b/Misc/NEWS.d/next/Core_and_Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst new file mode 100644 index 00000000000000..ee1f33f95647bd --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2023-12-04-15-53-25.gh-issue-112713.Zrhv77.rst @@ -0,0 +1 @@ +Added support for the ``Partitioned`` cookie flag in :mod:`http.cookies`. _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-checkins.python.org/ Member address: [email protected]
