Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 5212:d4cc71beb102

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added support for SameSite cookie option for CSRF prevention This was an easy addon compared to the complexity of the CSRF nonce support. It only works in chromium browsers (Chrome, Opera...) at the moment. But there is recent activity on implementing it in firefox. Who know when edge/ie will adopt it. So csrf nonce and header analysis will be needed for a while.
author John Rouillard <rouilj@ieee.org>
date Sun, 19 Mar 2017 19:01:41 -0400
parents f4b6a2a3e605
children 44f7e6b958fe
line wrap: on
line diff
--- a/roundup/cgi/client.py	Sun Mar 19 17:10:13 2017 -0400
+++ b/roundup/cgi/client.py	Sun Mar 19 19:01:41 2017 -0400
@@ -1981,6 +1981,9 @@
             # mark as secure if https, see issue2550689
             if self.secure:
                 cookie += " secure;"
+            ssc = self.db.config['WEB_SAMESITE_COOKIE_SETTING']
+            if ssc != "None":
+                cookie += " SameSite=%s;"%ssc
             # prevent theft of session cookie, see issue2550689
             cookie += " HttpOnly;"
             headers.append(('Set-Cookie', cookie))
Roundup Issue Tracker: http://roundup-tracker.org/