middleware: define setting for CSRF cookie SameSite value (#48767)

hobo/middleware/cookies_samesite.py

@@ -27,7 +27,9 @@ class CookiesSameSiteFixMiddleware(MiddlewareMixin):
         # this can be removed once django 2.2 is used and settings.
         # CSRF_COOKIE_SAMESITE & SESSION_COOKIE_SAMESITE can be used.
         if settings.CSRF_COOKIE_NAME in response.cookies:
-            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = 'None'
+            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = (
+                getattr(settings, 'CSRF_COOKIE_SAMESITE', 'None').title()
+            )
         if settings.SESSION_COOKIE_NAME in response.cookies:
             response.cookies[settings.SESSION_COOKIE_NAME]['samesite'] = 'None'
         return response

hobo/test_urls.py

@@ -8,6 +8,8 @@ def helloworld(request):
     logging.getLogger(__name__).error('wat!')
     if 'raise' in request.GET:
         raise Exception('wat!')
+    request.META['CSRF_COOKIE_USED'] = True
+    request.META['CSRF_COOKIE'] = 'xxx'
     return HttpResponse('Hello world %s' % request.META['REMOTE_ADDR'])
 
 urlpatterns = [

tests_multitenant/test_middleware.py

@@ -30,3 +30,12 @@ def test_internalipmiddleware(app, tenants, settings):
     response = app.get('/?raise', status=500, extra_environ={'HTTP_HOST': tenants[0].domain_url})
     assert 'You\'re seeing this error because you have' in response.text
 
+
+def test_samesite_middleware(app, tenants, settings):
+    settings.ALLOWED_HOSTS = [tenants[0].domain_url]
+    response = app.get('/', extra_environ={'HTTP_HOST': tenants[0].domain_url})
+    assert 'SameSite=None' in str(response)
+    app.cookiejar.clear()
+    settings.CSRF_COOKIE_SAMESITE = 'lax'
+    response = app.get('/', extra_environ={'HTTP_HOST': tenants[0].domain_url})
+    assert 'SameSite=Lax' in str(response)