Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#31934 closed Cleanup/optimization (fixed)

Document that "SameSite" has defaults in some browsers.

Reported by: אורי Owned by: Hasan Ramezani
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: אורי Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by אורי)

#31933

SESSION_COOKIE_SAMESITE is documented (in Django 3.1) with the options 'Strict', 'Lax', 'None' and False. However, False means cookies will be sent without SameSite, which means some browsers (Chrome, Dolphin) will give it default such as 'Lax', which is different than what used to be in the past. I think this default should be documented in all active versions of Django. Maybe it's also better to add that using False is not recommended.

Also, document that with Chrome, if you use 'None' the cookie must be secure.

Change History (10)

comment:1 Changed 22 months ago by אורי

Description: modified (diff)

comment:2 Changed 22 months ago by אורי

Component: Core (Other)Documentation

comment:3 Changed 22 months ago by אורי

Cc: אורי added

comment:4 Changed 22 months ago by Mariusz Felisiak

Summary: SESSION_COOKIE_SAMESITE - document that unsetting "SameSite" has defaults in some browsersDocument that "SameSite" has defaults in some browsers.
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

However, False means cookies will be sent without SameSite, which means some browsers (Chrome, Dolphin) will give it default such as 'Lax', which is different than what used to be in the past.

That's true, however this change is not related with Django but with a different behavior of browsers. I think we can add a short note do False, e.g.

``False``:  disables the flag. Browsers can provide a more secure default for `SameSite` if it's not specified explicitly, e.g. `Lax`.

Also, document that with Chrome, if you use 'None' the cookie must be secure.

This is a browser behavior and we're talking about Django's docs, I don't think we should add this to our docs.

comment:5 Changed 22 months ago by Hasan Ramezani

I've created a PR based on Mariusz suggestion.

comment:6 in reply to:  5 Changed 22 months ago by אורי

Replying to Hasan Ramezani:

I've created a PR based on Mariusz suggestion.

I think we should also change the relevant documentation for Django 2.2 + 3.0, which is different (there is no False there). Maybe add the same line after "None: disables the flag.".

Last edited 22 months ago by אורי (previous) (diff)

comment:7 Changed 22 months ago by Hasan Ramezani

Has patch: set
Owner: changed from nobody to Hasan Ramezani
Status: newassigned

comment:8 Changed 22 months ago by Mariusz Felisiak

Triage Stage: AcceptedReady for checkin

comment:9 Changed 22 months ago by Mariusz Felisiak <felisiak.mariusz@…>

Resolution: fixed
Status: assignedclosed

In 70731fc:

Fixed #31934 -- Added note about the default of SameSite cookie flag in modern browsers.

comment:10 Changed 22 months ago by Mariusz Felisiak <felisiak.mariusz@…>

In eda59ba:

[3.1.x] Fixed #31934 -- Added note about the default of SameSite cookie flag in modern browsers.

Backport of 70731fc6feeb40eab535781e938b0e67ff0077ad from master

Note: See TracTickets for help on using tickets.
Back to Top