Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#30862 closed New feature (fixed)

Explicitly SameSite: None cookies.

Reported by: Osaetin Daniel Owned by: Osaetin Daniel
Component: HTTP handling Version: dev
Severity: Normal Keywords: cookies, request, response
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When setting cookies (with .set_cookie and set_signed_cookie) the default value for the samesite argument is None but the problem here is that Django doesn't do anything with the None value.

This behaviour used to be fine because most browsers assumed that a missing samesite attribute on a cookie meant None. But now, Chrome has issued a warning that samesite has to be explicitly set to None else the cookies won't be sent for cross-origin requests.

https://www.chromestatus.com/feature/5633521622188032

Change History (9)

comment:1 by Carlton Gibson, 5 years ago

Component: contrib.sessionsHTTP handling
Summary: Explicitly set SameSite: None cookiesExplicitly set `secure` for SameSite: None cookies.
Triage Stage: UnreviewedAccepted

Hi.

The link you've given implies that if samesite is None then we must set secure — we're not doing that so we should add an extra clause in there.

Chrome has issued a warning that samesite has to be explicitly set to None else the cookies won't be sent for cross-origin requests.

Is this the same point? (It reads differently to me at first glance.)

in reply to:  1 comment:2 by Osaetin Daniel, 5 years ago

Replying to Carlton Gibson:

Hi.

The link you've given implies that if samesite is None then we must set secure — we're not doing that so we should add an extra clause in there.

Chrome has issued a warning that samesite has to be explicitly set to None else the cookies won't be sent for cross-origin requests.

Is this the same point? (It reads differently to me at first glance.)

My bad. The title of the ticket is misleading What I meant to say was to "allow the option to set 'same-site' to 'None'". At the moment, you can only set it to "Strict" or "Lax".

This statement "The link you've given implies that if samesite is None then we must set secure" is correct but I think the best thing is to be as flexible as possible. Although Chrome's warning has good intentions, it is not a global browser standard and other users (For reasons best known to them) might want to set the secure flag without samesite and vice-versa.
So in this case, the best option, In my opinion, is to allow "None" (as a string) without enforcing secure=True and at the same time preserve the current behaviour.

Perhaps I jumped the gun with this but I've already opened a PR that communicates my intentions: https://github.com/django/django/pull/11894

comment:3 by Carlton Gibson, 5 years ago

Has patch: set
Summary: Explicitly set `secure` for SameSite: None cookies.Explicitly SameSite: None cookies.

OK, thank for the update. Makes sense. I've re-titled again accordingly.

...I've already opened a PR ...

Gun jumping of that kind we very much like. 🙂

Thanks.

comment:4 by Carlton Gibson, 5 years ago

Needs tests: set
Patch needs improvement: set

comment:5 by Mariusz Felisiak, 5 years ago

Needs tests: unset
Owner: changed from nobody to Osaetin Daniel
Patch needs improvement: unset
Status: newassigned
Version: 2.2master

comment:6 by Mariusz Felisiak, 5 years ago

Type: BugNew feature

comment:7 by Mariusz Felisiak, 5 years ago

Triage Stage: AcceptedReady for checkin

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In b33bfc3:

Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.

Thanks Florian Apolloner and Carlton Gibson for reviews.

comment:9 by אורי, 4 years ago

I created issue #31933.

I think this change should be backported to all working versions of Django, to allow setting SESSION_COOKIE_SAMESITE = 'None' manually in all versions, which are still in use until 2022.

Note: See TracTickets for help on using tickets.
Back to Top