Support partitioned cookies

pgjones · pgjones · commit 94176078a017 · 2024-12-24T19:41:22.000Z
This follows Flask's implementation and allows for cookies to be
marked as partitioned. This in turn will allow a third party cookie to
work on the origin the top-level site it is set on and not
others. Without partitioned the browser may (is likely) to block the
cookie outright.
diff --git a/src/quart/app.py b/src/quart/app.py
@@ -263,6 +263,7 @@ class Quart(App):
             "SESSION_COOKIE_DOMAIN": None,
             "SESSION_COOKIE_HTTPONLY": True,
             "SESSION_COOKIE_NAME": "session",
+            "SESSION_COOKIE_PARTITIONED": False,
             "SESSION_COOKIE_PATH": None,
             "SESSION_COOKIE_SAMESITE": None,
             "SESSION_COOKIE_SECURE": False,
diff --git a/src/quart/sessions.py b/src/quart/sessions.py
@@ -55,6 +55,10 @@ def get_cookie_domain(self, app: Quart) -> str | None:
         rv = app.config["SESSION_COOKIE_DOMAIN"]
         return rv if rv else None
 
+    def get_cookie_partitioned(self, app: Quart) -> bool:
+        """Helper method to return the Cookie partitioned setting for the App."""
+        return app.config["SESSION_COOKIE_PARTITIONED"]
+
     def get_cookie_path(self, app: Quart) -> str:
         """Helper method to return the Cookie path for the App."""
         return app.config["SESSION_COOKIE_PATH"] or app.config["APPLICATION_ROOT"]
@@ -195,6 +199,7 @@ async def save_session(
 
         name = self.get_cookie_name(app)
         domain = self.get_cookie_domain(app)
+        partitioned = self.get_cookie_partitioned(app)
         path = self.get_cookie_path(app)
         secure = self.get_cookie_secure(app)
         samesite = self.get_cookie_samesite(app)
@@ -211,6 +216,7 @@ async def save_session(
                 response.delete_cookie(
                     name,
                     domain=domain,
+                    partitioned=partitioned,
                     path=path,
                     secure=secure,
                     samesite=samesite,
@@ -231,6 +237,7 @@ async def save_session(
             expires=expires,
             httponly=httponly,
             domain=domain,
+            partitioned=partitioned,
             path=path,
             secure=secure,
             samesite=samesite,
