How to explicitly set samesite=None on a flask response
Once the fix to this issue isreleased, you will be able to useset_cookie()
like this:
from flask import Flask, make_responseapp = Flask(__name__)@app.route('/')def hello_world(): resp = make_response('Hello, World!'); resp.set_cookie('same-site-cookie', 'foo', samesite='Lax'); resp.set_cookie('cross-site-cookie', 'bar', samesite='Lax', secure=True); return resp
While you're waiting for the release, you can stillset the headerexplicitly:
from flask import Flask, make_responseapp = Flask(__name__)@app.route('/')def hello_world(): resp = make_response('Hello, World!'); resp.set_cookie('same-site-cookie', 'foo', samesite='Lax'); # Ensure you use "add" to not overwrite existing cookie headers resp.headers.add('Set-Cookie','cross-site-cookie=bar; SameSite=None; Secure') return resp
You can also use the following code to set cookies with SameSite=None
until fix is released
from werkzeug.http import dump_cookie# That's a workaround for explicitly setting SameSite to None# Until the following fix is released: # https://github.com/pallets/werkzeug/issues/1549def set_cookie(response, *args, **kwargs): cookie = dump_cookie(*args, **kwargs) if 'samesite' in kwargs and kwargs['samesite'] is None: cookie = "{}; {}".format(cookie, b'SameSite=None'.decode('latin1')) response.headers.add( 'Set-Cookie', cookie )