Update CHANGES.rst and add explenation on SameSite cookie

e314d6c9 · Cédric Le Ninivin · Hanno Schlichting · bc91440b · e314d6c9 · e314d6c9
Commit e314d6c9 authored Sep 15, 2016 by Cédric Le Ninivin Committed by Hanno Schlichting Sep 15, 2016
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

CHANGES.rst CHANGES.rst +2 -0

src/ZPublisher/HTTPResponse.py src/ZPublisher/HTTPResponse.py +4 -0

No files found.
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -15,6 +15,8 @@ Bugs Fixed
 Features Added
 ++++++++++++++

+- Add support to SameSite cookie in ``ZPublisher.HTTPBaseResponse``:
+  https://tools.ietf.org/html/draft-west-first-party-cookies-07

 Restructuring
 +++++++++++++

--- a/src/ZPublisher/HTTPResponse.py
+++ b/src/ZPublisher/HTTPResponse.py
@@ -642,6 +642,10 @@ class HTTPBaseResponse(BaseResponse):
                # and block read/write access via JavaScript
                elif name == 'http_only' and v:
                    cookie = '%s; HTTPOnly' % cookie
+                # Some browsers recognize the SameSite cookie attribute
+                # and do not send the cookie along with cross-site requests
+                # providing some protection against CSRF attacks
+                # https://tools.ietf.org/html/draft-west-first-party-cookies-07
                elif name == 'same_site' and v:
                    cookie = '%s; SameSite=%s' % (cookie, v)
            cookie_list.append(('Set-Cookie', cookie))