Opened 6 years ago
Closed 6 years ago
#30304 closed New feature (fixed)
Support setting Secure, HttpOnly, SameSite on the language cookie
Reported by: | Ran Benita | Owned by: | Ran Benita |
---|---|---|---|
Component: | Internationalization | Version: | dev |
Severity: | Normal | Keywords: | language cookie |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I propose to add the following settings, with the following default values:
LANGUAGE_COOKIE_SECURE = False LANGUAGE_COOKIE_HTTPONLY = False LANGUAGE_COOKIE_SAMESITE = None
The default values maintain the current behavior.
These settings do not provide much security value, since the language is not secret or sensitive. This was also discussed briefly here: https://github.com/django/django/pull/8380#discussion_r112448195. The reasons I'd like to add them are:
- Sometimes auditors require them.
- I personally prefer to set them unless I have a reason *not* to.
- Browsers are starting to strongly nudge toward HttpOnly and Secure when possible, e.g. https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/.
Change History (4)
comment:1 by , 6 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:2 by , 6 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Version: | → master |
comment:3 by , 6 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
Note:
See TracTickets
for help on using tickets.
I created a pull request: https://github.com/django/django/pull/11155