middleware: Set the correct options on the django_language cookie.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

zerver/middleware.py

@@ -550,7 +550,16 @@ class LocaleMiddleware(DjangoLocaleMiddleware):
         # and saved in the set_language flag so that it can be used here.
         set_language = RequestNotes.get_notes(request).set_language
         if set_language is not None:
-            response.set_cookie(settings.LANGUAGE_COOKIE_NAME, set_language)
+            response.set_cookie(
+                settings.LANGUAGE_COOKIE_NAME,
+                set_language,
+                max_age=settings.LANGUAGE_COOKIE_AGE,
+                path=settings.LANGUAGE_COOKIE_PATH,
+                domain=settings.LANGUAGE_COOKIE_DOMAIN,
+                secure=settings.LANGUAGE_COOKIE_SECURE,
+                httponly=settings.LANGUAGE_COOKIE_HTTPONLY,  # type: ignore[misc] # https://github.com/typeddjango/django-stubs/pull/1228
+                samesite=settings.LANGUAGE_COOKIE_SAMESITE,
+            )
 
         return response
 

zproject/computed_settings.py

@@ -3,7 +3,7 @@ import os
 import sys
 import time
 from copy import deepcopy
-from typing import Any, Dict, List, Tuple, Union
+from typing import Any, Dict, Final, List, Tuple, Union
 from urllib.parse import urljoin
 
 from scripts.lib.zulip_tools import get_tornado_ports
@@ -398,6 +398,7 @@ else:
 if PRODUCTION:
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
+    LANGUAGE_COOKIE_SECURE = True
 
     # https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.2
     SESSION_COOKIE_NAME = "__Host-sessionid"
@@ -409,6 +410,9 @@ if PRODUCTION:
 CSRF_COOKIE_HTTPONLY = True
 CSRF_FAILURE_VIEW = "zerver.middleware.csrf_failure"
 
+# Avoid a deprecation message in the Firefox console
+LANGUAGE_COOKIE_SAMESITE: Final = "Lax"
+
 if DEVELOPMENT:
     # Use fast password hashing for creating testing users when not
     # PRODUCTION.  Saves a bunch of time.