middleware: transform cookies to have SameSite=None (#45667)

2020-07-31 16:34:58 +02:00 · 2020-07-31 16:34:58 +02:00 · 8b40112c35
parent 7ce95390ac
commit 8b40112c35
3 changed files with 45 additions and 0 deletions
--- a/debian/debian_config_common.py
+++ b/debian/debian_config_common.py
@ -301,10 +301,12 @@ if PROJECT_NAME != 'wcs':
    if 'MIDDLEWARE_CLASSES' in globals():
        MIDDLEWARE_CLASSES = (
            'hobo.multitenant.middleware.TenantMiddleware',
+            'hobo.middleware.CookiesSameSiteFixMiddleware',
        ) + MIDDLEWARE_CLASSES
    else:
        MIDDLEWARE = (
            'hobo.multitenant.middleware.TenantMiddleware',
+            'hobo.middleware.CookiesSameSiteFixMiddleware',
        ) + MIDDLEWARE

    DATABASES = {
--- a/hobo/middleware/init.py
+++ b/hobo/middleware/init.py
@ -1,4 +1,5 @@
 from .version import VersionMiddleware
+from .cookies_samesite import CookiesSameSiteFixMiddleware
 from .cors import CORSMiddleware
 from .seo import RobotsTxtMiddleware
 from .stats import PrometheusStatsMiddleware
--- a/hobo/middleware/cookies_samesite.py
+++ b/hobo/middleware/cookies_samesite.py
@ -0,0 +1,42 @@
+# hobo - portal to configure and deploy applications
+# Copyright (C) 2015-2020  Entr'ouvert
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from django.conf import settings
+from django.utils import six
+from django.utils.deprecation import MiddlewareMixin
+
+
+class CookiesSameSiteFixMiddleware(MiddlewareMixin):
+    def process_response(self, request, response):
+        # adjust CSRF and session cookies to mark them with SameSite=None
+        # as required by newer Chrome versions.
+        # see: https://www.chromestatus.com/feature/5088147346030592
+        # this can be removed once django 2.2 is used and settings.
+        # CSRF_COOKIE_SAMESITE & SESSION_COOKIE_SAMESITE can be used.
+        if settings.CSRF_COOKIE_NAME in response.cookies:
+            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = 'None'
+        if settings.SESSION_COOKIE_NAME in response.cookies:
+            response.cookies[settings.SESSION_COOKIE_NAME]['samesite'] = 'None'
+        return response
+
+
+if six.PY2:
+    import Cookie
+    Cookie.Morsel._reserved.setdefault('samesite', 'SameSite')
+else:
+    # required for Python <3.8
+    import http.cookies
+    http.cookies.Morsel._reserved.setdefault('samesite', 'SameSite')