id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31635	SameSite cookie except on a URL	James Pic	nobody	"Currently, the SameSite cookie option can be enabled globally, which is great for a lot of use case.

If you have a form that's embedded via an iframe, which requires both session and csrf cookies to be sent on POST, then SameSite needs to be disabled.

The best would be to keep SameSite option on CSRF and Session cookies for the admin and the rest of the site, except for a particular set of views.

This is currently possible by adding a new middleware that will delete the samesite key on the response cookies, I suppose it's fine if that API is going to be supported on the long term, otherwise we should find a public API allowing Django projects to benefit from SameSite in views such as the Admin while having it disabled on other views, like with @xframe_options_exempt"	New feature	closed	HTTP handling	3.0	Normal	wontfix			Unreviewed	0	0	0	0	0	0