Opened 5 years ago
Closed 5 years ago
#30304 closed New feature (fixed)
Support setting Secure, HttpOnly, SameSite on the language cookie
| Reported by: | Ran Benita | Owned by: | Ran Benita |
|---|---|---|---|
| Component: | Internationalization | Version: | dev |
| Severity: | Normal | Keywords: | language cookie |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I propose to add the following settings, with the following default values:
LANGUAGE_COOKIE_SECURE = False LANGUAGE_COOKIE_HTTPONLY = False LANGUAGE_COOKIE_SAMESITE = None
The default values maintain the current behavior.
These settings do not provide much security value, since the language is not secret or sensitive. This was also discussed briefly here: https://github.com/django/django/pull/8380#discussion_r112448195. The reasons I'd like to add them are:
- Sometimes auditors require them.
- I personally prefer to set them unless I have a reason *not* to.
- Browsers are starting to strongly nudge toward HttpOnly and Secure when possible, e.g. https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/.
Change History (4)
comment:1 by , 5 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:2 by , 5 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Version: | → master |
comment:3 by , 5 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Note:
See TracTickets
for help on using tickets.
I created a pull request: https://github.com/django/django/pull/11155