This commit is contained in:
dekun
2026-05-30 12:04:03 +08:00
parent 8ffe46a344
commit 61c4d54305
3 changed files with 88 additions and 25 deletions
+23 -2
View File
@@ -137,19 +137,40 @@ def embed_frame_ancestors() -> str:
return " ".join(origins) if origins else "*"
def set_session_cookie(response, request, token: str) -> None:
def set_session_cookie(response, request, token: str, *, embed: bool = False) -> None:
"""
embed=TrueLocalNav 等跨站 iframe 嵌入时须 SameSite=None + Secure(仅 HTTPS 有效)。
"""
secure = cookie_secure_for_request(request)
samesite = "lax"
if embed:
secure = True
samesite = "none"
response.set_cookie(
SESSION_COOKIE,
token,
httponly=True,
samesite="lax",
samesite=samesite,
path="/",
max_age=SESSION_MAX_AGE_SEC,
secure=secure,
)
def clear_session_cookie(response, request, *, embed: bool = False) -> None:
secure = cookie_secure_for_request(request)
samesite = "lax"
if embed:
secure = True
samesite = "none"
response.delete_cookie(
SESSION_COOKIE,
path="/",
secure=secure,
samesite=samesite,
)
def is_public_path(path: str, method: str) -> bool:
p = (path or "").split("?")[0].rstrip("/") or "/"
if p.startswith("/assets"):