Opened 6 years ago

Closed 6 years ago

#30304 closed New feature (fixed)

Support setting Secure, HttpOnly, SameSite on the language cookie

Reported by: Ran Benita Owned by: Ran Benita
Component: Internationalization Version: dev
Severity: Normal Keywords: language cookie
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I propose to add the following settings, with the following default values:

LANGUAGE_COOKIE_SECURE = False
LANGUAGE_COOKIE_HTTPONLY = False
LANGUAGE_COOKIE_SAMESITE = None

The default values maintain the current behavior.

These settings do not provide much security value, since the language is not secret or sensitive. This was also discussed briefly here: https://github.com/django/django/pull/8380#discussion_r112448195. The reasons I'd like to add them are:

  1. Sometimes auditors require them.
  2. I personally prefer to set them unless I have a reason *not* to.
  3. Browsers are starting to strongly nudge toward HttpOnly and Secure when possible, e.g. https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/.

Change History (4)

comment:1 by Ran Benita, 6 years ago

Has patch: set
Owner: changed from nobody to Ran Benita
Status: newassigned

comment:2 by Mariusz Felisiak, 6 years ago

Triage Stage: UnreviewedAccepted
Version: master

comment:3 by Mariusz Felisiak, 6 years ago

Triage Stage: AcceptedReady for checkin

comment:4 by Mariusz Felisiak <felisiak.mariusz@…>, 6 years ago

Resolution: fixed
Status: assignedclosed

In 19fc6376:

Fixed #30304 -- Added support for the HttpOnly, SameSite, and Secure flags on language cookies.

Note: See TracTickets for help on using tickets.
Back to Top