pallets · Josecespedesant · Jun 10, 2024 · Jun 10, 2024 · Jun 10, 2024 · Jun 10, 2024
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -3,6 +3,7 @@ Version 3.1.0
 
 -   Provide a configuration option to control automatic option
     responses. :pr:`5496`
+-   Added support for SESSION_COOKIE_PARTITIONED. :issue`5472`
 
 
 Version 3.0.3

diff --git a/docs/config.rst b/docs/config.rst
@@ -167,6 +167,15 @@ The following configuration values are used internally by Flask:
 
     Default: ``False``
 
+.. py:data:: SESSION_COOKIE_PARTITIONED
+
+    Browsers are well under way in phasing out unpartitioned third-party cookies,
+    so Cookies Having Independent Partitioned State, the Storage Access API,
+    and Related Website Sets will be the only way to read and write cookies
+    from cross-site contexts, such as iframes, when third-party cookies are blocked.
+
+    Default: ``False``
+
 .. py:data:: SESSION_COOKIE_SAMESITE
 
     Restrict how cookies are sent with requests from external sites. Can

diff --git a/docs/web-security.rst b/docs/web-security.rst
@@ -194,6 +194,7 @@ They can be set on other cookies too.
 ::
 
     app.config.update(
+        SESSION_COOKIE_PARTITIONED=True,
         SESSION_COOKIE_SECURE=True,
         SESSION_COOKIE_HTTPONLY=True,
         SESSION_COOKIE_SAMESITE='Lax',

diff --git a/src/flask/app.py b/src/flask/app.py
@@ -188,6 +188,7 @@ class Flask(App):
             "SESSION_COOKIE_PATH": None,
             "SESSION_COOKIE_HTTPONLY": True,
             "SESSION_COOKIE_SECURE": False,
+            "SESSION_COOKIE_PARTITIONED": False,
             "SESSION_COOKIE_SAMESITE": None,
             "SESSION_REFRESH_EACH_REQUEST": True,
             "MAX_CONTENT_LENGTH": None,

diff --git a/src/flask/sessions.py b/src/flask/sessions.py
@@ -224,6 +224,12 @@ def get_cookie_samesite(self, app: Flask) -> str | None:
         """
         return app.config["SESSION_COOKIE_SAMESITE"]  # type: ignore[no-any-return]
 
+    def get_cookie_partitioned(self, app: Flask) -> bool:
+        """Returns True if the cookie should be partitioned.  This currently
+        just returns the value of the ``SESSION_COOKIE_PARTITIONED`` setting.
+        """
+        return app.config["SESSION_COOKIE_PARTITIONED"]  # type: ignore[no-any-return]
+
     def get_expiration_time(self, app: Flask, session: SessionMixin) -> datetime | None:
         """A helper method that returns an expiration date for the session
         or ``None`` if the session is linked to the browser session.  The

diff --git a/tests/test_basic.py b/tests/test_basic.py
@@ -293,6 +293,7 @@ def test_session_using_session_settings(app, client):
         SESSION_COOKIE_DOMAIN=".example.com",
         SESSION_COOKIE_HTTPONLY=False,
         SESSION_COOKIE_SECURE=True,
+        SESSION_COOKIE_PARTITIONED=True,
         SESSION_COOKIE_SAMESITE="Lax",
         SESSION_COOKIE_PATH="/",
     )
@@ -315,6 +316,7 @@ def clear():
     assert "secure" in cookie
     assert "httponly" not in cookie
     assert "samesite" in cookie
+    assert "partitioned" in cookie
 
     rv = client.get("/clear", "http://www.example.com:8080/test/")
     cookie = rv.headers["set-cookie"].lower()
@@ -324,6 +326,7 @@ def clear():
     assert "path=/" in cookie
     assert "secure" in cookie
     assert "samesite" in cookie
+    assert "partitioned" in cookie
 
 
 def test_session_using_samesite_attribute(app, client):