Re: [Django] #31934: SESSION_COOKIE_SAMESITE - document that unsetting "SameSite" has defaults in some browsers

Sat, 22 Aug 2020 21:49:44 -0700 

#31934: SESSION_COOKIE_SAMESITE - document that unsetting "SameSite" has 
defaults
in some browsers
-------------------------------+--------------------------------------
     Reporter:  אורי           |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  new
    Component:  Core (Other)   |                  Version:  master
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Description changed by אורי:

Old description:

> [https://code.djangoproject.com/ticket/31933 #31933]
>
> `SESSION_COOKIE_SAMESITE` is documented (in Django 3.1) with the options
> 'Strict', 'Lax', 'None' and False. However, False means cookies will be
> sent without `SameSite`, which means some browsers (Chrome, Dolphin) will
> give it default such as 'Lax', which is different than what used to be in
> the past. I think this default should be documented in all active
> versions of Django. Maybe it's also better to add that using False is not
> recommended.

New description:

 [https://code.djangoproject.com/ticket/31933 #31933]

 `SESSION_COOKIE_SAMESITE` is documented (in Django 3.1) with the options
 'Strict', 'Lax', 'None' and False. However, False means cookies will be
 sent without `SameSite`, which means some browsers (Chrome, Dolphin) will
 give it default such as 'Lax', which is different than what used to be in
 the past. I think this default should be documented in all active versions
 of Django. Maybe it's also better to add that using False is not
 recommended.

 Also, document that with Chrome, if you use 'None' the cookie must be
 secure.

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/31934#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/069.90f6b64823d99b54798a839515a8004c%40djangoproject.com.

Reply via email to