Document that "SameSite" has defaults in some browsers.
#31933
SESSION_COOKIE_SAMESITE
is documented (in Django 3.1) with the options 'Strict', 'Lax', 'None' and False. However, False means cookies will be sent without SameSite
, which means some browsers (Chrome, Dolphin) will give it default such as 'Lax', which is different than what used to be in the past. I think this default should be documented in all active versions of Django. Maybe it's also better to add that using False is not recommended.
Also, document that with Chrome, if you use 'None' the cookie must be secure.
Change History
(10)
Description: |
modified (diff)
|
Component: |
Core (Other) → Documentation
|
Summary: |
SESSION_COOKIE_SAMESITE - document that unsetting "SameSite" has defaults in some browsers → Document that "SameSite" has defaults in some browsers.
|
Triage Stage: |
Unreviewed → Accepted
|
Type: |
Uncategorized → Cleanup/optimization
|
Has patch: |
set
|
Owner: |
changed from nobody to Hasan Ramezani
|
Status: |
new → assigned
|
Triage Stage: |
Accepted → Ready for checkin
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
That's true, however this change is not related with Django but with a different behavior of browsers. I think we can add a short note do
False
, e.g.This is a browser behavior and we're talking about Django's docs, I don't think we should add this to our docs.