From bb85420e914978dc8c53d8bb180afc2a4b0d580c Mon Sep 17 00:00:00 2001
From: Jillian Vogel <jill@opencraft.com>
Date: Thu, 9 Apr 2020 18:12:59 +0930
Subject: [PATCH] Adds django-cookies-sameseite middleware

and settings to set SameSite=None for all secure cookies.
---
 lms/envs/common.py               | 5 +++++
 requirements/edx/base.in         | 1 +
 requirements/edx/base.txt        | 1 +
 requirements/edx/development.txt | 1 +
 requirements/edx/testing.txt     | 1 +
 5 files changed, 9 insertions(+)

diff --git a/lms/envs/common.py b/lms/envs/common.py
index de3a2ca754..f6796d5ada 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1144,6 +1144,8 @@ SESSION_SAVE_EVERY_REQUEST = False
 SESSION_SERIALIZER = 'openedx.core.lib.session_serializers.PickleSerializer'
 SESSION_COOKIE_DOMAIN = ""
 SESSION_COOKIE_NAME = 'sessionid'
+SESSION_COOKIE_SAMESITE = 'None'
+SESSION_COOKIE_SAMESITE_FORCE_ALL = True
 
 # CMS base
 CMS_BASE = 'localhost:18010'
@@ -1566,6 +1568,9 @@ MIDDLEWARE = [
     # Handles automatically storing user ids in django-simple-history tables when possible.
     'simple_history.middleware.HistoryRequestMiddleware',
 
+    # Sets SameSite flag for session and csrf cookies in legacy versions of Django.
+    'django_cookies_samesite.middleware.CookiesSameSite',
+
     # This must be last
     'openedx.core.djangoapps.site_configuration.middleware.SessionCookieDomainOverrideMiddleware',
 ]
diff --git a/requirements/edx/base.in b/requirements/edx/base.in
index 8cc6ae1b8b..44ba980fe1 100644
--- a/requirements/edx/base.in
+++ b/requirements/edx/base.in
@@ -38,6 +38,7 @@ contextlib2                         # We need contextlib2.ExitStack so we can st
 defusedxml
 Django<1.12                         # Web application framework
 django-celery                       # Only used for the CacheBackend for celery results
+django-cookies-samesite             # Middleware which sets SameSite flag for session and csrf cookies in Django<2.2
 django-config-models>=1.0.0         # Configuration models for Django allowing config management with auditing
 django-cors-headers                 # Used to allow to configure CORS headers for cross-domain requests
 django-countries                    # Country data for Django forms and model fields
diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt
index e03ac9ece8..51131d4b7d 100644
--- a/requirements/edx/base.txt
+++ b/requirements/edx/base.txt
@@ -57,6 +57,7 @@ git+https://github.com/Zegocover/enmerkar.git@dbc113798aa4beabdfa2d00e6fef48248e
 django-celery==3.3.1      # via -r requirements/edx/base.in
 django-classy-tags==1.0.0  # via django-sekizai
 django-config-models==2.0.0  # via -r requirements/edx/base.in, edx-enterprise
+django-cookies-samesite==0.5.1  # via -r requirements/edx/base.in
 django-cors-headers==2.5.3  # via -c requirements/edx/../constraints.txt, -r requirements/edx/base.in
 django-countries==5.5     # via -c requirements/edx/../constraints.txt, -r requirements/edx/base.in, edx-enterprise
 django-crum==0.7.5        # via -r requirements/edx/base.in, edx-enterprise, edx-proctoring, edx-rbac, super-csv
diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt
index 2ac279de3a..e61a828f6b 100644
--- a/requirements/edx/development.txt
+++ b/requirements/edx/development.txt
@@ -68,6 +68,7 @@ git+https://github.com/Zegocover/enmerkar.git@dbc113798aa4beabdfa2d00e6fef48248e
 django-celery==3.3.1      # via -r requirements/edx/testing.txt
 django-classy-tags==1.0.0  # via -r requirements/edx/testing.txt, django-sekizai
 django-config-models==2.0.0  # via -r requirements/edx/testing.txt, edx-enterprise
+django-cookies-samesite==0.5.1  # via -r requirements/edx/testing.txt
 django-cors-headers==2.5.3  # via -c requirements/edx/../constraints.txt, -r requirements/edx/testing.txt
 django-countries==5.5     # via -c requirements/edx/../constraints.txt, -r requirements/edx/testing.txt, edx-enterprise
 django-crum==0.7.5        # via -r requirements/edx/testing.txt, edx-enterprise, edx-proctoring, edx-rbac, super-csv
diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt
index 51cd0e32c0..f8121b04cc 100644
--- a/requirements/edx/testing.txt
+++ b/requirements/edx/testing.txt
@@ -67,6 +67,7 @@ git+https://github.com/Zegocover/enmerkar.git@dbc113798aa4beabdfa2d00e6fef48248e
 django-celery==3.3.1      # via -r requirements/edx/base.txt
 django-classy-tags==1.0.0  # via -r requirements/edx/base.txt, django-sekizai
 django-config-models==2.0.0  # via -r requirements/edx/base.txt, edx-enterprise
+django-cookies-samesite==0.5.1  # via -r requirements/edx/base.txt
 django-cors-headers==2.5.3  # via -c requirements/edx/../constraints.txt, -r requirements/edx/base.txt
 django-countries==5.5     # via -c requirements/edx/../constraints.txt, -r requirements/edx/base.txt, edx-enterprise
 django-crum==0.7.5        # via -r requirements/edx/base.txt, edx-enterprise, edx-proctoring, edx-rbac, super-csv