diff --git a/readthedocs/core/middleware.py b/readthedocs/core/middleware.py index f5f060d7294..de5da624980 100644 --- a/readthedocs/core/middleware.py +++ b/readthedocs/core/middleware.py @@ -57,15 +57,15 @@ def process_request(self, request): request.session = SessionBase() # create an empty session return - if settings.SESSION_COOKIE_SAMESITE: - super().process_request(request) - else: + if settings.SESSION_COOKIE_SAMESITE == "None": if settings.SESSION_COOKIE_NAME in request.COOKIES: session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME) else: session_key = request.COOKIES.get(self.cookie_name_fallback) request.session = self.SessionStore(session_key) + else: + super().process_request(request) def process_response(self, request, response): for url in self.IGNORE_URLS: @@ -139,7 +139,7 @@ def process_response(self, request, response): ) # NOTE: This was added to support the fallback cookie - if not settings.SESSION_COOKIE_SAMESITE: + if settings.SESSION_COOKIE_SAMESITE == "None": # Forcibly set the session cookie to SameSite=None # This isn't supported in Django<3.1 # https://github.com/django/django/pull/11894 @@ -157,7 +157,8 @@ def process_response(self, request, response): path=settings.SESSION_COOKIE_PATH, secure=settings.SESSION_COOKIE_SECURE or None, httponly=settings.SESSION_COOKIE_HTTPONLY or None, - samesite=settings.SESSION_COOKIE_SAMESITE, + # Use browser default in case SameSite=None is rejected. + samesite=False, ) return response diff --git a/readthedocs/rtd_tests/tests/test_middleware.py b/readthedocs/rtd_tests/tests/test_middleware.py index 9abce650fe1..698370a911b 100644 --- a/readthedocs/rtd_tests/tests/test_middleware.py +++ b/readthedocs/rtd_tests/tests/test_middleware.py @@ -250,7 +250,7 @@ def setUp(self): self.user = create_user(username="owner", password="test") - @override_settings(SESSION_COOKIE_SAMESITE=None) + @override_settings(SESSION_COOKIE_SAMESITE="None") def test_fallback_cookie(self): request = self.factory.get("/") response = HttpResponse() @@ -261,7 +261,7 @@ def test_fallback_cookie(self): self.assertTrue(settings.SESSION_COOKIE_NAME in response.cookies) self.assertTrue(self.middleware.cookie_name_fallback in response.cookies) - @override_settings(SESSION_COOKIE_SAMESITE=None) + @override_settings(SESSION_COOKIE_SAMESITE="None") def test_main_cookie_samesite_none(self): request = self.factory.get("/") response = HttpResponse() diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py index 8a27fccb5d9..0cef49e51fc 100644 --- a/readthedocs/settings/base.py +++ b/readthedocs/settings/base.py @@ -109,7 +109,7 @@ def SESSION_COOKIE_SAMESITE(self): Cookie used in cross-origin API requests from *.rtd.io to rtd.org/api/v2/sustainability/. """ if self.USE_PROMOS: - return None + return "None" # This is django's default. return "Lax" diff --git a/readthedocs/settings/proxito/base.py b/readthedocs/settings/proxito/base.py index 78f3badd3ef..d700089df98 100644 --- a/readthedocs/settings/proxito/base.py +++ b/readthedocs/settings/proxito/base.py @@ -16,7 +16,7 @@ class CommunityProxitoSettingsMixin: # Allow cookies from cross-site requests on subdomains for now. # As 'Lax' breaks when the page is embedded in an iframe. - SESSION_COOKIE_SAMESITE = None + SESSION_COOKIE_SAMESITE = "None" @property def DATABASES(self):