From: X. Angelo Huang <63465494+Flecart@users.noreply.github.com>
Date: Sun, 4 May 2025 09:54:01 +0000 (+0200)
Subject: feat: add partitioned attribute to cookie (#2501)
X-Git-Tag: 0.47.0~5
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=4acf1d1ca3e8aa767567cb4e6e12f093f066553b;p=thirdparty%2Fstarlette.git

feat: add partitioned attribute to cookie (#2501)

Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
---

diff --git a/docs/responses.md b/docs/responses.md
index a19f7701..e6b0a193 100644
--- a/docs/responses.md
+++ b/docs/responses.md
@@ -31,7 +31,7 @@ async def app(scope, receive, send):
 
 Starlette provides a `set_cookie` method to allow you to set cookies on the response object.
 
-Signature: `Response.set_cookie(key, value, max_age=None, expires=None, path="/", domain=None, secure=False, httponly=False, samesite="lax")`
+Signature: `Response.set_cookie(key, value, max_age=None, expires=None, path="/", domain=None, secure=False, httponly=False, samesite="lax", partitioned=False)`
 
 * `key` - A string that will be the cookie's key.
 * `value` - A string that will be the cookie's value.
@@ -42,6 +42,7 @@ Signature: `Response.set_cookie(key, value, max_age=None, expires=None, path="/"
 * `secure` - A bool indicating that the cookie will only be sent to the server if request is made using SSL and the HTTPS protocol. `Optional`
 * `httponly` - A bool indicating that the cookie cannot be accessed via JavaScript through `Document.cookie` property, the `XMLHttpRequest` or `Request` APIs. `Optional`
 * `samesite` - A string that specifies the samesite strategy for the cookie. Valid values are `'lax'`, `'strict'` and `'none'`. Defaults to `'lax'`. `Optional`
+* `partitioned` - A bool that indicates to user agents that these cross-site cookies should only be available in the same top-level context that the cookie was first set in. Only available for Python 3.14+, otherwise an error will be raised. `Optional`
 
 #### Delete Cookie
 
diff --git a/starlette/responses.py b/starlette/responses.py
index 81e89fae..c956ff6a 100644
--- a/starlette/responses.py
+++ b/starlette/responses.py
@@ -6,6 +6,7 @@ import json
 import os
 import re
 import stat
+import sys
 import typing
 import warnings
 from datetime import datetime
@@ -97,6 +98,7 @@ class Response:
         secure: bool = False,
         httponly: bool = False,
         samesite: typing.Literal["lax", "strict", "none"] | None = "lax",
+        partitioned: bool = False,
     ) -> None:
         cookie: http.cookies.BaseCookie[str] = http.cookies.SimpleCookie()
         cookie[key] = value
@@ -122,6 +124,11 @@ class Response:
                 "none",
             ], "samesite must be either 'strict', 'lax' or 'none'"
             cookie[key]["samesite"] = samesite
+        if partitioned:
+            if sys.version_info < (3, 14):
+                raise ValueError("Partitioned cookies are only supported in Python 3.14 and above.")  # pragma: no cover
+            cookie[key]["partitioned"] = True  # pragma: no cover
+
         cookie_val = cookie.output(header="").strip()
         self.raw_headers.append((b"set-cookie", cookie_val.encode("latin-1")))
 
diff --git a/tests/test_responses.py b/tests/test_responses.py
index 0a00e936..baf7c98f 100644
--- a/tests/test_responses.py
+++ b/tests/test_responses.py
@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import datetime as dt
+import sys
 import time
 from collections.abc import AsyncGenerator, AsyncIterator, Iterator
 from http.cookies import SimpleCookie
@@ -370,18 +371,37 @@ def test_set_cookie(test_client_factory: TestClientFactory, monkeypatch: pytest.
             secure=True,
             httponly=True,
             samesite="none",
+            partitioned=True if sys.version_info >= (3, 14) else False,
         )
         await response(scope, receive, send)
 
+    partitioned_text = "Partitioned; " if sys.version_info >= (3, 14) else ""
+
     client = test_client_factory(app)
     response = client.get("/")
     assert response.text == "Hello, world!"
     assert (
         response.headers["set-cookie"] == "mycookie=myvalue; Domain=localhost; expires=Thu, 22 Jan 2037 12:00:10 GMT; "
-        "HttpOnly; Max-Age=10; Path=/; SameSite=none; Secure"
+        f"HttpOnly; Max-Age=10; {partitioned_text}Path=/; SameSite=none; Secure"
     )
 
 
+@pytest.mark.skipif(sys.version_info >= (3, 14), reason="Only relevant for <3.14")
+def test_set_cookie_raises_for_invalid_python_version(
+    test_client_factory: TestClientFactory,
+) -> None:  # pragma: no cover
+    async def app(scope: Scope, receive: Receive, send: Send) -> None:
+        response = Response("Hello, world!", media_type="text/plain")
+        with pytest.raises(ValueError):
+            response.set_cookie("mycookie", "myvalue", partitioned=True)
+        await response(scope, receive, send)
+
+    client = test_client_factory(app)
+    response = client.get("/")
+    assert response.text == "Hello, world!"
+    assert response.headers.get("set-cookie") is None
+
+
 def test_set_cookie_path_none(test_client_factory: TestClientFactory) -> None:
     async def app(scope: Scope, receive: Receive, send: Send) -> None:
         response = Response("Hello, world!", media_type="text/plain")