From cff10ebfcbeaa374a323b866fda49730f3bb1dd4 Mon Sep 17 00:00:00 2001
From: Craig Rueda <craig@craigrueda.com>
Date: Sun, 29 Sep 2019 16:11:22 -0700
Subject: [PATCH] Adding explicit Flask session cookie options to default
 config (#8317)

* Adding explicit Flask session cookie options to default config

* Blacking
---
 superset/config.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/superset/config.py b/superset/config.py
index fe348a18d..79f723d45 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -655,6 +655,16 @@ TALISMAN_CONFIG = {
     "force_https_permanent": False,
 }
 
+#
+# Flask session cookie options
+#
+# See https://flask.palletsprojects.com/en/1.1.x/security/#set-cookie-options
+# for details
+#
+SESSION_COOKIE_HTTPONLY = True  # Prevent cookie from being read by frontend JS?
+SESSION_COOKIE_SECURE = False  # Prevent cookie from being transmitted over non-tls?
+SESSION_COOKIE_SAMESITE = "Lax"  # One of [None, 'Lax', 'Strict']
+
 # URI to database storing the example data, points to
 # SQLALCHEMY_DATABASE_URI by default if set to `None`
 SQLALCHEMY_EXAMPLES_URI = None