support for SESSION_COOKIE_SAMESITE

seahub/base/middleware.py

@@ -1,5 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
 import re
+from http import cookies
 
 from django.utils.deprecation import MiddlewareMixin
 from django.core.cache import cache
@@ -98,3 +99,31 @@ class ForcePasswdChangeMiddleware(MiddlewareMixin):
         if request.session.get('force_passwd_change', False):
             if self._request_in_black_list(request):
                 return HttpResponseRedirect(reverse('auth_password_change'))
+
+
+cookies.Morsel._reserved["samesite"] = "SameSite"
+OLD_CHROME_REGEX = r"(Chrome|Chromium)\/((5[1-9])|6[0-6])"
+
+
+class SameSiteNoneMiddleware:
+    """Set SameSite="None" if it was None before (workaround for django#30862)
+
+    This middleware will be obsolete when your app will start using Django 3.1.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        # same-site = None introduced for Chrome 80 breaks for Chrome 51-66
+        # Refer (https://www.chromium.org/updates/same-site/incompatible-clients)
+        user_agent = request.META.get("HTTP_USER_AGENT")
+        if not (user_agent and re.search(OLD_CHROME_REGEX, user_agent)):
+            for name, value in response.cookies.items():
+                if not value.get("samesite"):
+                    value["samesite"] = "None"
+                    value["secure"] = True  # fixes plain set_cookie(name, value)
+
+        return response

seahub/settings.py

@@ -111,6 +111,7 @@ ENABLE_REMOTE_USER_AUTHENTICATION = False
 
 # Order is important
 MIDDLEWARE = [
+    'seahub.base.middleware.SameSiteNoneMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.common.CommonMiddleware',