id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27863	"Implement ""SameSite"" flag for session and CSRF cookies"	Alex Gaynor	Paweł Krawczyk	"SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (http://caniuse.com/#feat=same-site-cookie-attribute), but at 50% global deployment, it'd be very useful for Defense in Depth.

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

I believe simply adding `SameSite=lax` to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple)."	New feature	closed	HTTP handling	dev	Normal	fixed			Accepted	1	0	0	1	0	0