set CSRF_COOKIE_SAMESITE to None (#49283)

2021-01-12 11:34:27 +01:00 · 2021-01-12 11:34:27 +01:00 · cd54c56f8c
parent 446788ece6
commit cd54c56f8c
2 changed files with 4 additions and 3 deletions
--- a/debian/debian_config_common.py
+++ b/debian/debian_config_common.py
@ -266,6 +266,8 @@ CSRF_COOKIE_HTTPONLY = True
 SESSION_COOKIE_SECURE = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_AGE = 36000 # 10h
+
+CSRF_COOKIE_SAMESITE = None
 # Apply sessionNotOnOrAfter on session expiration date
 SESSION_ENGINE = 'mellon.sessions_backends.cached_db'

--- a/hobo/middleware/cookies_samesite.py
+++ b/hobo/middleware/cookies_samesite.py
@ -27,9 +27,8 @@ class CookiesSameSiteFixMiddleware(MiddlewareMixin):
        # this can be removed once django 2.2 is used and settings.
        # CSRF_COOKIE_SAMESITE & SESSION_COOKIE_SAMESITE can be used.
        if settings.CSRF_COOKIE_NAME in response.cookies:
-            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = (
-                getattr(settings, 'CSRF_COOKIE_SAMESITE', 'None').title()
-            )
+            same_site = settings.CSRF_COOKIE_SAMESITE or 'None'
+            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = same_site.title()
        if settings.SESSION_COOKIE_NAME in response.cookies:
            response.cookies[settings.SESSION_COOKIE_NAME]['samesite'] = 'None'
        return response