Commit 1c656163 authored by Cédric Le Ninivin's avatar Cédric Le Ninivin

Update CHANGES.rst and add explenation on SameSite cookie

parent c3550a55
...@@ -18,6 +18,9 @@ http://docs.zope.org/zope2/ ...@@ -18,6 +18,9 @@ http://docs.zope.org/zope2/
- Removed docstrings from some methods to avoid publishing them. From - Removed docstrings from some methods to avoid publishing them. From
Products.PloneHotfix20160419. [maurits] Products.PloneHotfix20160419. [maurits]
- Add support to SameSite cookie in ``ZPublisher.HTTPResponse``:
https://tools.ietf.org/html/draft-west-first-party-cookies-07
2.13.24 (2016-02-29) 2.13.24 (2016-02-29)
-------------------- --------------------
......
...@@ -903,6 +903,10 @@ class HTTPResponse(BaseResponse): ...@@ -903,6 +903,10 @@ class HTTPResponse(BaseResponse):
# and block read/write access via JavaScript # and block read/write access via JavaScript
elif name == 'http_only' and v: elif name == 'http_only' and v:
cookie = '%s; HTTPOnly' % cookie cookie = '%s; HTTPOnly' % cookie
# Some browsers recognize the SameSite cookie attribute
# and do not send the cookie along with cross-site requests
# providing some protection against CSRF attacks
# https://tools.ietf.org/html/draft-west-first-party-cookies-07
elif name == 'same_site': elif name == 'same_site':
cookie = '%s; SameSite=%s' % (cookie, v) cookie = '%s; SameSite=%s' % (cookie, v)
cookie_list.append(('Set-Cookie', cookie)) cookie_list.append(('Set-Cookie', cookie))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment