Merge pull request #4136 from cp2004/fix/samesite-none

🐛 Fix SameSite=None cookie
OctoPrint · May 18, 2021 · c838436 · c838436
2 parents f284585 + d83d4b1
commit c838436
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/docs/configuration/config_yaml.rst b/docs/configuration/config_yaml.rst
@@ -909,9 +909,9 @@ Use the following settings to configure the server:
 
      # Settings for further configuration of the cookies that OctoPrint sets (login, remember me, ...)
      cookies:
-       # SameSite setting to use on the cookies. Possible values are None, Lax and Strict. Defaults to None but
-       # be advised that browsers will soon force this to Lax unless also being set as Secure and served over
-       # https, which will cause issues with embedding OctoPrint in frames.
+       # SameSite setting to use on the cookies. Possible values are None, Lax and Strict. Defaults to not set but
+       # be advised that many browsers now default to Lax unless set as Secure, explicitly setting the cookie type
+       # here and served over https, which causes issues with embedding OctoPrint in frames.
        #
        # See also https://www.chromestatus.com/feature/5088147346030592,
        # https://www.chromestatus.com/feature/5633521622188032 and issue #3482

diff --git a/src/octoprint/server/util/flask.py b/src/octoprint/server/util/flask.py
@@ -567,8 +567,10 @@ def set_cookie(self, key, *args, **kwargs):
         if samesite is not None:
             samesite = samesite.lower()
         if samesite == "none":
-            samesite = None
-        if samesite not in (None, "strict", "lax"):
+            # Must be string "None"
+            samesite = "None"
+        if samesite not in ("None", "strict", "lax"):
+            # If NoneType, the cookie is not set
             samesite = None
         kwargs["samesite"] = samesite
 

diff --git a/tests/server/util/test_flask.py b/tests/server/util/test_flask.py
@@ -503,7 +503,7 @@ def tearDown(self):
 
     @data(
         [None, None, False, None, None],
-        [None, None, False, "none", None],
+        [None, None, False, "none", "None"],
         [None, None, False, "lax", "lax"],
         [None, None, False, "StRiCt", "strict"],
         [None, None, False, "INVALID", None],