Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#31934 closed Cleanup/optimization (fixed)

Document that "SameSite" has defaults in some browsers.

Reported by: אורי Owned by: Hasan Ramezani
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: אורי Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by אורי)

#31933

SESSION_COOKIE_SAMESITE is documented (in Django 3.1) with the options 'Strict', 'Lax', 'None' and False. However, False means cookies will be sent without SameSite, which means some browsers (Chrome, Dolphin) will give it default such as 'Lax', which is different than what used to be in the past. I think this default should be documented in all active versions of Django. Maybe it's also better to add that using False is not recommended.

Also, document that with Chrome, if you use 'None' the cookie must be secure.

Change History (10)

comment:1 Changed 2 years ago by אורי

Description: modified (diff)

comment:2 Changed 2 years ago by אורי

Component: Core (Other)Documentation

comment:3 Changed 2 years ago by אורי

Cc: אורי added

comment:4 Changed 2 years ago by Mariusz Felisiak

Summary: SESSION_COOKIE_SAMESITE - document that unsetting "SameSite" has defaults in some browsersDocument that "SameSite" has defaults in some browsers.
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

However, False means cookies will be sent without SameSite, which means some browsers (Chrome, Dolphin) will give it default such as 'Lax', which is different than what used to be in the past.

That's true, however this change is not related with Django but with a different behavior of browsers. I think we can add a short note do False, e.g.

``False``:  disables the flag. Browsers can provide a more secure default for `SameSite` if it's not specified explicitly, e.g. `Lax`.

Also, document that with Chrome, if you use 'None' the cookie must be secure.

This is a browser behavior and we're talking about Django's docs, I don't think we should add this to our docs.

comment:5 Changed 2 years ago by Hasan Ramezani

I've created a PR based on Mariusz suggestion.

comment:6 in reply to:  5 Changed 2 years ago by אורי

Replying to Hasan Ramezani:

I've created a PR based on Mariusz suggestion.

I think we should also change the relevant documentation for Django 2.2 + 3.0, which is different (there is no False there). Maybe add the same line after "None: disables the flag.". (or maybe you can start with a new line and use the same PR for all versions).

Version 0, edited 2 years ago by אורי (next)

comment:7 Changed 2 years ago by Hasan Ramezani

Has patch: set
Owner: changed from nobody to Hasan Ramezani
Status: newassigned

comment:8 Changed 2 years ago by Mariusz Felisiak

Triage Stage: AcceptedReady for checkin

comment:9 Changed 2 years ago by Mariusz Felisiak <felisiak.mariusz@…>

Resolution: fixed
Status: assignedclosed

In 70731fc:

Fixed #31934 -- Added note about the default of SameSite cookie flag in modern browsers.

comment:10 Changed 2 years ago by Mariusz Felisiak <felisiak.mariusz@…>

In eda59ba:

[3.1.x] Fixed #31934 -- Added note about the default of SameSite cookie flag in modern browsers.

Backport of 70731fc6feeb40eab535781e938b0e67ff0077ad from master

Note: See TracTickets for help on using tickets.
Back to Top