#31635: SameSite cookie except on a URL
-----------------------------------------+------------------------
Reporter: James Pic | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: 3.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Currently, the SameSite cookie option can be enabled globally, which is
great for a lot of use case.
If you have a form that's embedded via an iframe, which requires both
session and csrf cookies to be sent on POST, then SameSite needs to be
disabled.
The best would be to keep SameSite option on CSRF and Session cookies for
the admin and the rest of the site, except for a particular set of views.
This is currently possible by adding a new middleware that will delete the
samesite key on the response cookies, I suppose it's fine if that API is
going to be supported on the long term, otherwise we should find a public
API allowing Django projects to benefit from SameSite in views such as the
Admin while having it disabled, like with @xframe_options_exempt
--
Ticket URL: <https://code.djangoproject.com/ticket/31635>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.3f2d1ed47e7da97fb3838112fd3f427d%40djangoproject.com.
