Merge pull request #2693 from davidism/max-cookie-size

add Response.max_cookie_size config
pallets · Apr 10, 2018 · d8bf589
2 parents 465b48e + 1ed756a
commit d8bf589
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 5 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -145,11 +145,14 @@ unreleased
   (`#2635`_)
 - A single trailing slash is stripped from the blueprint ``url_prefix``
   when it is registered with the app. (`#2629`_)
-- :meth:`Request.get_json() <flask.Request.get_json>` doesn't cache the
+- :meth:`Request.get_json` doesn't cache the
   result if parsing fails when ``silent`` is true. (`#2651`_)
-- :func:`request.get_json <flask.Request.get_json>` no longer accepts
-  arbitrary encodings. Incoming JSON should be encoded using UTF-8 per
-  :rfc:`8259`, but Flask will autodetect UTF-8, -16, or -32. (`#2691`_)
+- :func:`Request.get_json` no longer accepts arbitrary encodings.
+  Incoming JSON should be encoded using UTF-8 per :rfc:`8259`, but Flask
+  will autodetect UTF-8, -16, or -32. (`#2691`_)
+- Added :data:`MAX_COOKIE_SIZE` and :attr:`Response.max_cookie_size` to
+  control when Werkzeug warns about large cookies that browsers may
+  ignore. (`#2693`_)
 
 .. _pallets/meta#24: https://github.com/pallets/meta/issues/24
 .. _#1421: https://github.com/pallets/flask/issues/1421
@@ -196,6 +199,7 @@ unreleased
 .. _#2629: https://github.com/pallets/flask/pull/2629
 .. _#2651: https://github.com/pallets/flask/issues/2651
 .. _#2691: https://github.com/pallets/flask/pull/2691
+.. _#2693: https://github.com/pallets/flask/pull/2693
 
 
 Version 0.12.2

diff --git a/docs/api.rst b/docs/api.rst
@@ -85,7 +85,7 @@ Response Objects
 ----------------
 
 .. autoclass:: flask.Response
-   :members: set_cookie, data, mimetype, is_json, get_json
+   :members: set_cookie, max_cookie_size, data, mimetype, is_json, get_json
 
    .. attribute:: headers
 

diff --git a/docs/config.rst b/docs/config.rst
@@ -343,6 +343,12 @@ The following configuration values are used internally by Flask:
 
     Default: ``False``
 
+.. py:data:: MAX_COOKIE_SIZE
+
+    Warn if cookie headers are larger than this many bytes. Defaults to
+    ``4093``. Larger cookies may be silently ignored by browsers. Set to
+    ``0`` to disable the warning.
+
 .. versionadded:: 0.4
    ``LOGGER_NAME``
 
@@ -381,6 +387,8 @@ The following configuration values are used internally by Flask:
     Added :data:`SESSION_COOKIE_SAMESITE` to control the session
     cookie's ``SameSite`` option.
 
+    Added :data:`MAX_COOKIE_SIZE` to control a warning from Werkzeug.
+
 
 Configuring from Files
 ----------------------

diff --git a/flask/app.py b/flask/app.py
@@ -305,6 +305,7 @@ class Flask(_PackageBoundObject):
         'JSONIFY_PRETTYPRINT_REGULAR':          False,
         'JSONIFY_MIMETYPE':                     'application/json',
         'TEMPLATES_AUTO_RELOAD':                None,
+        'MAX_COOKIE_SIZE': 4093,
     })
 
     #: The rule object to use for URL rules created.  This is used by

diff --git a/flask/wrappers.py b/flask/wrappers.py
@@ -191,9 +191,26 @@ class Response(ResponseBase, JSONMixin):
     .. versionchanged:: 1.0
         JSON support is added to the response, like the request. This is useful
         when testing to get the test client response data as JSON.
+
+    .. versionchanged:: 1.0
+
+        Added :attr:`max_cookie_size`.
     """
 
     default_mimetype = 'text/html'
 
     def _get_data_for_json(self, cache):
         return self.get_data()
+
+    @property
+    def max_cookie_size(self):