Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#31218 closed Bug (invalid)

response.set_cookie() method not accepting "samesite" key set to "None" in release versions

Reported by: Adrien Carpentier Owned by: nobody
Component: HTTP handling Version: 2.2
Severity: Normal Keywords: set_cookie, SameSite, CSRF, cookie
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Adrien Carpentier)

Google is now requesting, starting from Chrome 80 (from February 4th, 2020), to add "SameSite=None; Secure" to cookies (https://www.chromium.org/updates/same-site), otherwise it will not be considered as not CSRF-proof anymore by Chrome.

In all Django release branches, response.set_cookie() method is not accepting "samesite" key set to "None" , but it seems it has been done in master branch (https://github.com/django/django/commit/b33bfc383935cd26e19a2cf71d066ac6edd1425f).

Do you know when it will be merged to the latest release branch(es)?

Change History (9)

comment:1 by Adrien Carpentier, 5 years ago

Description: modified (diff)
Summary: response.set_cookie method not accepting "samesite" key set to "None" in release versionsresponse.set_cookie() method not accepting "samesite" key set to "None" in release versions

comment:2 by Adrien Carpentier, 5 years ago

Description: modified (diff)

comment:3 by Adrien Carpentier, 5 years ago

Description: modified (diff)

comment:4 by Adrien Carpentier, 5 years ago

Description: modified (diff)

comment:5 by Adrien Carpentier, 5 years ago

Type: UncategorizedBug

comment:6 by Adrien Carpentier, 5 years ago

Keywords: SameSite CSRF cookie added

comment:7 by Mariusz Felisiak, 5 years ago

Resolution: invalid
Status: newclosed

Trac is not a place for asking questions. You can start discussion about backporting this change on DevelopersMailingList, but it's against our policy and we've already had a short discussion in the PR. Current decision is to not backport this new feature, but you can start a discussion on DevelopersMailingList if you don't agree.

Last edited 5 years ago by Mariusz Felisiak (previous) (diff)

comment:8 by Claude Paroz, 5 years ago

Mariusz, your PR link is wrong, could you give us the right one?

comment:9 by Mariusz Felisiak, 5 years ago

Thanks Claude, it should be PR.

Note: See TracTickets for help on using tickets.
Back to Top