Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#31871 closed Cleanup/optimization (fixed)

SESSION_COOKIE_SAMESITE comment in global_settings is outdated.

Reported by: אורי Owned by: nobody
Component: Core (Other) Version: 3.1
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

https://github.com/django/django/blob/master/django/conf/global_settings.py#L472-L473

# Whether to set the flag restricting cookie leaks on cross-site requests.
# This can be 'Lax', 'Strict', or None to disable the flag.

This is not what is written in https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-SESSION_COOKIE_SAMESITE

As a side note, I understand that using None can also disable the flag - not only False, and I think this should be documented (since None was the way to disable the flag with Django <= 3.0 - so it should be documented that None still works like before).

Change History (5)

comment:1 Changed 18 months ago by Mariusz Felisiak

Easy pickings: set
Summary: SESSION_COOKIE_SAMESITE is not correctly documented on django.conf.global_settingsSESSION_COOKIE_SAMESITE comment in global_settings is outdated.
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: master3.1

Agreed, we should update comments in django/conf/global_settings.py:

# Whether to set the flag restricting cookie leaks on cross-site requests.
# This can be 'Lax', 'Strict', 'None', or False to disable the flag.

As a side note, I understand that using None can also disable the flag - not only False, and I think this should be documented (since None was the way to disable the flag with Django <= 3.0 - so it should be documented that None still works like before).

Yes you can use None but it's not a recommended, we've changed None to False in docs to avoid confusions with 'none' (see comments) and IMO we shouldn't bring it back in docs.

comment:2 Changed 18 months ago by אורי

comment:3 Changed 18 months ago by Mariusz Felisiak

Has patch: set
Triage Stage: AcceptedReady for checkin

comment:4 Changed 18 months ago by GitHub <noreply@…>

Resolution: fixed
Status: newclosed

In ad827dda:

Fixed #31871 -- Updated SESSION_COOKIE_SAMESITE comment in global_settings.py.

Follow up to b33bfc383935cd26e19a2cf71d066ac6edd1425f.

comment:5 Changed 18 months ago by Mariusz Felisiak <felisiak.mariusz@…>

In a1ce98fa:

[3.1.x] Fixed #31871 -- Updated SESSION_COOKIE_SAMESITE comment in global_settings.py.

Follow up to b33bfc383935cd26e19a2cf71d066ac6edd1425f.
Backport of ad827ddaef05069a1385cc2d26fd2ab9c6ba1f4d from master

Note: See TracTickets for help on using tickets.
Back to Top