Added support for SameSite cookie option for CSRF prevention

This was an easy addon compared to the complexity of the CSRF nonce
support.  It only works in chromium browsers (Chrome, Opera...)  at
the moment. But there is recent activity on implementing it in
firefox.  Who know when edge/ie will adopt it. So csrf nonce and
header analysis will be needed for a while.

Author: rouilj

CHANGES.txt

@@ -188,6 +188,10 @@ Features:
   Requiring enforcement will need some changes to
   templates. Support for protecting xmlrpc endpoint not well
   tested.  See ``upgrading.txt``. (John Rouillard)
+- Added support for using the SameSite cookie option on the
+  session cookie. Default is lax, but there is a settable
+  option in config.ini file to change to strict or
+  suppress it entirely. See ``upgrading.txt``. (John Rouillard)
 
 Fixed:
 

doc/upgrading.txt

@@ -101,6 +101,19 @@ It is suggested that you change your templates so every form
 has an @csrf field and change the setting to 'required' for
 the csrf_enforce_token.
 
+Support for SameSite cookie option for session cookie
+-----------------------------------------------------
+
+Support for serving the session cookie using the SameSite cookie option
+has been added. By default it is set to lax to provide a better user
+experience. But this can be changes to strict or the option can be
+removed entirely.
+
+Using the process for merging config.ini changes described in
+`Cross Site Request Forgery Detection Added`_ you can add the
+``samesite_cookie_setting`` to the ``[web]`` section of the config
+file.
+
 Fix for path traversal changes template resolution
 --------------------------------------------------
 

roundup/cgi/client.py

@@ -1981,6 +1981,9 @@ def header(self, headers=None, response=None):
             # mark as secure if https, see issue2550689
             if self.secure:
                 cookie += " secure;"
+            ssc = self.db.config['WEB_SAMESITE_COOKIE_SETTING']
+            if ssc != "None":
+                cookie += " SameSite=%s;"%ssc
             # prevent theft of session cookie, see issue2550689
             cookie += " HttpOnly;"
             headers.append(('Set-Cookie', cookie))

roundup/configuration.py

@@ -306,6 +306,20 @@ def str2value(self, value):
         else:
             raise OptionValueError(self, value, self.class_description)
 
+class SameSiteSettingOption(Option):
+
+    """How should the SameSite cookie setting be set: strict, lax
+or should it not be added (none)"""
+
+    class_description = "Allowed values: Strict, Lax, None"
+
+    def str2value(self, value):
+        _val = value.lower()
+        if _val in ("strict", "lax", "none"):
+            return _val.capitalize()
+        else:
+            raise OptionValueError(self, value, self.class_description)
+        
 class EmailBodyOption(Option):
 
     """When to replace message body or strip quoting: always, never or for new items only"""
@@ -646,6 +660,15 @@ def str2value(self, value):
             "variables supplied by your web server (in that order).\n"
             "Set this option to 'no' if you do not wish to use HTTP Basic\n"
             "Authentication in your web interface."),
+        (SameSiteSettingOption, 'samesite_cookie_setting', "Lax",
+            """Set the mode of the SameSite cookie option for
+the session cookie. Choices are 'Lax' or
+'Strict'. 'None' can be used to suppress the
+option. Strict mode provides additional security
+against CSRF attacks, but may confuse users who
+are logged into roundup and open a roundup link
+from a source other than roundup (e.g. link in
+email)."""),
         (CsrfSettingOption, 'csrf_enforce_token', "yes",
             """How do we deal with @csrf fields in posted forms.
 Set this to 'required' to block the post and notify