diff --git a/zerver/middleware.py b/zerver/middleware.py index e029dbb197..e30e2d1e17 100644 --- a/zerver/middleware.py +++ b/zerver/middleware.py @@ -550,7 +550,16 @@ class LocaleMiddleware(DjangoLocaleMiddleware): # and saved in the set_language flag so that it can be used here. set_language = RequestNotes.get_notes(request).set_language if set_language is not None: - response.set_cookie(settings.LANGUAGE_COOKIE_NAME, set_language) + response.set_cookie( + settings.LANGUAGE_COOKIE_NAME, + set_language, + max_age=settings.LANGUAGE_COOKIE_AGE, + path=settings.LANGUAGE_COOKIE_PATH, + domain=settings.LANGUAGE_COOKIE_DOMAIN, + secure=settings.LANGUAGE_COOKIE_SECURE, + httponly=settings.LANGUAGE_COOKIE_HTTPONLY, # type: ignore[misc] # https://github.com/typeddjango/django-stubs/pull/1228 + samesite=settings.LANGUAGE_COOKIE_SAMESITE, + ) return response diff --git a/zproject/computed_settings.py b/zproject/computed_settings.py index badff1d89d..d2bfc1f311 100644 --- a/zproject/computed_settings.py +++ b/zproject/computed_settings.py @@ -3,7 +3,7 @@ import os import sys import time from copy import deepcopy -from typing import Any, Dict, List, Tuple, Union +from typing import Any, Dict, Final, List, Tuple, Union from urllib.parse import urljoin from scripts.lib.zulip_tools import get_tornado_ports @@ -398,6 +398,7 @@ else: if PRODUCTION: SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True + LANGUAGE_COOKIE_SECURE = True # https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.2 SESSION_COOKIE_NAME = "__Host-sessionid" @@ -409,6 +410,9 @@ if PRODUCTION: CSRF_COOKIE_HTTPONLY = True CSRF_FAILURE_VIEW = "zerver.middleware.csrf_failure" +# Avoid a deprecation message in the Firefox console +LANGUAGE_COOKIE_SAMESITE: Final = "Lax" + if DEVELOPMENT: # Use fast password hashing for creating testing users when not # PRODUCTION. Saves a bunch of time.