#31218 closed Bug (invalid)
response.set_cookie() method not accepting "samesite" key set to "None" in release versions
| Reported by: | Adrien Carpentier | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 2.2 |
| Severity: | Normal | Keywords: | set_cookie, SameSite, CSRF, cookie |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Google is now requesting, starting from Chrome 80 (from February 4th, 2020), to add "SameSite=None; Secure" to cookies (https://www.chromium.org/updates/same-site), otherwise it will not be considered as not CSRF-proof anymore by Chrome.
In all Django release branches, response.set_cookie() method is not accepting "samesite" key set to "None" , but it seems it has been done in master branch (https://github.com/django/django/commit/b33bfc383935cd26e19a2cf71d066ac6edd1425f).
Do you know when it will be merged to the latest release branch(es)?
Change History (9)
comment:1 by , 5 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | response.set_cookie method not accepting "samesite" key set to "None" in release versions → response.set_cookie() method not accepting "samesite" key set to "None" in release versions |
comment:2 by , 5 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 5 years ago
| Description: | modified (diff) |
|---|
comment:4 by , 5 years ago
| Description: | modified (diff) |
|---|
comment:5 by , 5 years ago
| Type: | Uncategorized → Bug |
|---|
comment:6 by , 5 years ago
| Keywords: | SameSite CSRF cookie added |
|---|
comment:7 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Trac is not a place for asking questions. You can start discussion about backporting this change on DevelopersMailingList, but it's against our policy and we've already had a short discussion in the PR. Current decision is to not backport this new feature, but you can start a discussion on DevelopersMailingList if you don't agree.