Same Site Cookie

I just found this article by Mozilla: Changes to SameSite Cookie Behavior – A Call to Action for Web Developers and wonder if there is action needed in Plone? Any opinions?

Last/latest Chrome version(s) will report such issues on the console (and I think there is a dedicated tab in the dev tools of Chrome). I would not find any issue with two sites using cookies heavily.

I saw a warning these days while working in the ZMI, plain Zope, though.

Had no chance to dig deeper, yet.

TIL that you can register a utility to tweak the cookie parameters, e.g.:

<configure xmlns="http://namespaces.zope.org/zope">
  <utility factory=".cookie.CustomCookieParamPolicy" />
</configure>
from ZPublisher.cookie import convertCookieParameter
from ZPublisher.cookie import DefaultCookieParamPolicy


class CustomCookieParamPolicy(DefaultCookieParamPolicy):
    @staticmethod
    def parameters(name, attrs):
        """Adds the SameSite cookie attribute to the parameters."""
        for item in super(CustomCookieParamPolicy, CustomCookieParamPolicy).parameters(
            name, attrs
        ):
            yield item
        if "SameSite" not in attrs:
            yield convertCookieParameter("SameSite", "Lax")
1 Like

I think you need to iterate over the result of the super call and yield them as well or the parameters from plone.session will be dropped.

1 Like

Thanks, I updated the code :slight_smile:

Thanks for sharing. I did not know about that one either.

1 Like

FTR, SameSite will be set to “Lax” in plone.session via this PR: Set cookie attribute SameSite by reinhardt · Pull Request #30 · plone/plone.session · GitHub

This is included in the just released Plone 6.0.0b2. Full announcement to follow later.

And we will have it in Products.Session as well :slight_smile:

... and Products.PluggableAuthService for the cookie auth helper (see Set the Cookie Auth Helper cookies with ``SameSite`` set to ``Strict`` by dataflake · Pull Request #114 · zopefoundation/Products.PluggableAuthService · GitHub) and DocumentTemplate for the dtml-tree tag (see Set `tree-s` cookie for `dtml-tree` with `SameSite=Lax` by dataflake · Pull Request #67 · zopefoundation/DocumentTemplate · GitHub)

2 Likes