Add support for 'partitioned' attribute to set_cookie()

[HIRANO-Satoshi]

As stated in a Google announcement , Chrome disabled third-party cookies for 1% of users as of 4th January 2024.

We need support for the 'Partitioned' attribute in cookies. I think adding Partitioned automatically would be good if same_site is None.

CPython developers have decided to add support for it in version 3.13.

• Issue: Support for Partitioned cookies attribute python/cpython#112713
• PR: gh-112713 : Add support for 'partitioned' attribute in http.cookies python/cpython#112714

The above PR includes a patch, but it is not compatible with Falcon due to Falcon having its own header generator.

So, here is a very dirty monkey patch for Falcon users who need it today:

# Monkey patch for the Partitioned attribute for 3rd party cookies
#
#  Usage:
#    response.set_cookie('mycookie', 'value', path='/', same_site='None', secure=True)
#    response._cookies['mycookie']['partitioned'] = True
#
#  See:
#     https://github.com/python/cpython/pull/112714#issuecomment-1946292244
#
Morsel_reserved: dict[str, str] = getattr(cookies.Morsel, '_reserved', {})
if "partitioned" not in Morsel_reserved:
    Morsel_reserved['partitioned'] = 'Partitioned'
    getattr(cookies.Morsel, '_flags', set()).add('partitioned')

To use it, follow these steps. secure=True is needed with same_site='None'

response.set_cookie('mycookie', 'value', path='/', same_site='None', secure=True)
response._cookies['mycookie']['partitioned'] = True

[CaselIT]

Hi,

Another google only thing.. Thanks for reporting, I was not aware of this new feature.
I think it would make sense adding, but I'm honestly not sure about

I think adding Partitioned automatically would be good if same_site is None.

Is this the suggested behavior in the spec?

Some more link from mdn

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
• https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies

PR are welcome

[vytas7]

I'm not convinced we should support every Google-specific thing, but if CPython accepts the referenced PR, this is good enough for us too I guess.

[CaselIT]

an alternative could be to add an open ended **kw to the method so that custom options can be added even before we commit one way of the other

[vytas7]

That's a good idea too @CaselIT, but we probably need to monkey-patch older Python stdlib in any case, as we already do/did for SameSite.

[HIRANO-Satoshi]

You know Chrome has already started rejecting cookies with samesite=None.

In addition to Chrome, Firefox also supports the Partitioned attribute, despite this, as it shows this.

Cookie “ory_hydra_login_csrf_dev_2630171196” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute.

Safari developers seem to be going to support the Partitioned attribute.

Automatic addition of the Partitioned attribute is safe for most users. However, sometimes it may be overkill for certain use cases. If the user gives permission against SAA, cookies with samesite=None and without Partitioned can be used, for example, for keeping login status among multiple sites.

So, how about a combination of the following two measures? This is automatic but customizable.

1. Add a "partitioned" keyword argument to set_cookie().

2. Provide a partitioned_3rd_party_cookies_by_default global flag (default True) and add "Partitioned;secure;" by default to cookies with samesite=None if the partitioned keyword argument is not specified.

Here is an overview of measures for rejecting 3rd-party cookies.

[vytas7]

I wouldn't be so eager to automatically add Partitioned for SameSite=none cookies in the first iteration, as Falcon isn't much focused on cookies in general, and users can handle that themselves if needed.

Otherwise we would accept a PR for Partitioned if anyone opens that.

And we would even consider implementing that ourselves in the absence of community PRs, but only if it is standardized in CPython (the PRs/issues are still open for 3.13 at the time of this writing).

[HIRANO-Satoshi]

It's OK for me. That's reasonable.

Thanks for consideration.