SameSite=Lax attribute for cookies set by the app.

kilgoretrout1985 · Jul 8, 2020 · 9e9490f · 9e9490f
1 parent 9d78f0c
commit 9e9490f
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+1.7.9:
+
+    - SameSite=Lax attribute for cookies set by the app (https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Set-Cookie/SameSite).
+
 1.7.8:
 
     - Minor technical update due to pytz dependency update and new migration because of it.

diff --git a/push/static/push/js/push.js b/push/static/push/js/push.js
@@ -115,7 +115,7 @@
             // and save it to send a push message at a later date
             push_save_on_server(subscription);
             // delete "do not disturb" cookie
-            setCookie('push_dnd', '', {expires: -86400, path: '/'});
+            setCookie('push_dnd', '', {expires: -86400, path: '/', samesite: 'lax'});
         })
         .catch(function(e) {
             if ('Notification' in window && window.Notification &&
@@ -222,7 +222,7 @@
         fetch(request)
         .then(function(response) {
             if(response.ok) {
-                setCookie('push_hash', hash, {expires: 7*24*3600, path: '/'});
+                setCookie('push_hash', hash, {expires: 7*24*3600, path: '/', samesite: 'lax'});
                 console.log('Successfully saved subscription.');
             } else {
                 console.warn('Network response on subscription save was not ok.', response);
@@ -295,7 +295,7 @@
                 // the subscription from your data store so you
                 // don't attempt to send them push messages anymore
                 push_deactivate_on_server(subscription);
-                setCookie('push_dnd', '1', {expires: 365*86400, path: '/'});
+                setCookie('push_dnd', '1', {expires: 365*86400, path: '/', samesite: 'lax'});
                 pushButton.disabled = false;
                 pushButton.textContent = django_infopush_js_dynamic_vars.on_button_label;
                 push_is_enabled = false;

diff --git a/push/templates/push/_head_include.html b/push/templates/push/_head_include.html
@@ -14,4 +14,4 @@
     };
 </script>
 <script defer type="text/javascript" src="{% static 'push/js/jstz.min.js' %}?1" charset="utf-8"></script>
-<script defer type="text/javascript" src="{% static 'push/js/push.js' %}?56" charset="utf-8"></script>
+<script defer type="text/javascript" src="{% static 'push/js/push.js' %}?57" charset="utf-8"></script>
diff --git a/setup.py b/setup.py
@@ -11,7 +11,7 @@
 
 setuptools.setup(
     name='django_infopush',
-    version='1.7.8',
+    version='1.7.9',
     packages=setuptools.find_packages(),  # ['push'],
     include_package_data=True,
     license='MIT',