#31871 closed Cleanup/optimization (fixed)
SESSION_COOKIE_SAMESITE comment in global_settings is outdated.
| Reported by: | אורי | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Other) | Version: | 3.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
https://github.com/django/django/blob/master/django/conf/global_settings.py#L472-L473
# Whether to set the flag restricting cookie leaks on cross-site requests. # This can be 'Lax', 'Strict', or None to disable the flag.
This is not what is written in https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-SESSION_COOKIE_SAMESITE
As a side note, I understand that using None can also disable the flag - not only False, and I think this should be documented (since None was the way to disable the flag with Django <= 3.0 - so it should be documented that None still works like before).
Change History (5)
comment:1 by , 4 years ago
| Easy pickings: | set |
|---|---|
| Summary: | SESSION_COOKIE_SAMESITE is not correctly documented on django.conf.global_settings → SESSION_COOKIE_SAMESITE comment in global_settings is outdated. |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
| Version: | master → 3.1 |
comment:3 by , 4 years ago
| Has patch: | set |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
Note:
See TracTickets
for help on using tickets.
Agreed, we should update comments in
django/conf/global_settings.py:Yes you can use
Nonebut it's not a recommended, we've changedNonetoFalsein docs to avoid confusions with'none'(see comments) and IMO we shouldn't bring it back in docs.