summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorAlex Gaynor <alex.gaynor@gmail.com>2018-04-13 20:58:31 -0400
committerTim Graham <timograham@gmail.com>2018-04-13 20:58:31 -0400
commit9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a (patch)
treeddb311604d1ec31ec09c8ae12e34dadc821f7536 /docs
parent13efbb233a9aa2e3f13be863c6616ec0767a0d58 (diff)
Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/csrf.txt1
-rw-r--r--docs/ref/request-response.txt13
-rw-r--r--docs/ref/settings.txt53
-rw-r--r--docs/releases/2.1.txt19
-rw-r--r--docs/topics/http/sessions.txt1
5 files changed, 83 insertions, 4 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 34660f5098..fdb373b002 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -513,6 +513,7 @@ A number of settings can be used to control Django's CSRF behavior:
* :setting:`CSRF_COOKIE_HTTPONLY`
* :setting:`CSRF_COOKIE_NAME`
* :setting:`CSRF_COOKIE_PATH`
+* :setting:`CSRF_COOKIE_SAMESITE`
* :setting:`CSRF_COOKIE_SECURE`
* :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME`
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index c088186001..0caf37bc99 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -748,7 +748,7 @@ Methods
Sets a header unless it has already been set.
-.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
+.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)
Sets a cookie. The parameters are the same as in the
:class:`~http.cookies.Morsel` cookie object in the Python standard library.
@@ -773,8 +773,17 @@ Methods
when it is honored, it can be a useful way to mitigate the
risk of a client-side script from accessing the protected cookie
data.
+ * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
+ to send this cookie when performing a cross-origin request. `SameSite`_
+ isn't supported by all browsers, so it's not a replacement for Django's
+ CSRF protection, but rather a defense in depth measure.
+
+ .. versionchanged:: 2.1
+
+ The ``samesite`` argument was added.
.. _HTTPOnly: https://www.owasp.org/index.php/HTTPOnly
+ .. _SameSite: https://www.owasp.org/index.php/SameSite
.. warning::
@@ -784,7 +793,7 @@ Methods
to store a cookie of more than 4096 bytes, but many browsers will not
set the cookie correctly.
-.. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
+.. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True, samesite=None)
Like :meth:`~HttpResponse.set_cookie()`, but
:doc:`cryptographic signing </topics/signing>` the cookie before setting
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index bc36f7c1d1..3647e60663 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -365,6 +365,20 @@ This is useful if you have multiple Django instances running under the same
hostname. They can use different cookie paths, and each instance will only see
its own CSRF cookie.
+.. setting:: CSRF_COOKIE_SAMESITE
+
+``CSRF_COOKIE_SAMESITE``
+------------------------
+
+.. versionadded:: 2.1
+
+Default: ``'Lax'``
+
+The value of the `SameSite`_ flag on the CSRF cookie. This flag prevents the
+cookie from being sent in cross-site requests.
+
+See :setting:`SESSION_COOKIE_SAMESITE` for details about ``SameSite``.
+
.. setting:: CSRF_COOKIE_SECURE
``CSRF_COOKIE_SECURE``
@@ -3025,6 +3039,44 @@ This is useful if you have multiple Django instances running under the same
hostname. They can use different cookie paths, and each instance will only see
its own session cookie.
+.. setting:: SESSION_COOKIE_SAMESITE
+
+``SESSION_COOKIE_SAMESITE``
+---------------------------
+
+.. versionadded:: 2.1
+
+Default: ``'Lax'``
+
+The value of the `SameSite`_ flag on the session cookie. This flag prevents the
+cookie from being sent in cross-site requests thus preventing CSRF attacks and
+making some methods of stealing session cookie impossible.
+
+Possible values for the setting are:
+
+* ``'Strict'``: prevents the cookie from being sent by the browser to the
+ target site in all cross-site browsing context, even when following a regular
+ link.
+
+ For example, for a GitHub-like website this would mean that if a logged-in
+ user follows a link to a private GitHub project posted on a corporate
+ discussion forum or email, GitHub will not receive the session cookie and the
+ user won't be able to access the project. A bank website, however, most
+ likely doesn't want to allow any transactional pages to be linked from
+ external sites so the ``'Strict'`` flag would be appropriate.
+
+* ``'Lax'`` (default): provides a balance between security and usability for
+ websites that want to maintain user's logged-in session after the user
+ arrives from an external link.
+
+ In the GitHub scenario, the session cookie would be allowed when following a
+ regular link from an external website and be blocked in CSRF-prone request
+ methods (e.g. ``POST``).
+
+* ``None``: disables the flag.
+
+.. _SameSite: https://www.owasp.org/index.php/SameSite
+
.. setting:: SESSION_COOKIE_SECURE
``SESSION_COOKIE_SECURE``
@@ -3425,6 +3477,7 @@ Security
* :setting:`CSRF_COOKIE_DOMAIN`
* :setting:`CSRF_COOKIE_NAME`
* :setting:`CSRF_COOKIE_PATH`
+ * :setting:`CSRF_COOKIE_SAMESITE`
* :setting:`CSRF_COOKIE_SECURE`
* :setting:`CSRF_FAILURE_VIEW`
* :setting:`CSRF_HEADER_NAME`
diff --git a/docs/releases/2.1.txt b/docs/releases/2.1.txt
index d7737e486a..9044c3cd70 100644
--- a/docs/releases/2.1.txt
+++ b/docs/releases/2.1.txt
@@ -112,7 +112,8 @@ Minor features
:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-* ...
+* Added the :setting:`SESSION_COOKIE_SAMESITE` setting to set the ``SameSite``
+ cookie flag on session cookies.
:mod:`django.contrib.sitemaps`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -143,7 +144,8 @@ Cache
CSRF
~~~~
-* ...
+* Added the :setting:`CSRF_COOKIE_SAMESITE` setting to set the ``SameSite``
+ cookie flag on CSRF cookies.
Database backends
~~~~~~~~~~~~~~~~~
@@ -239,6 +241,9 @@ Requests and Responses
* Added :meth:`.HttpRequest.get_full_path_info`.
+* Added the ``samesite`` argument to :meth:`.HttpResponse.set_cookie` to allow
+ setting the ``SameSite`` cookie flag.
+
Serialization
~~~~~~~~~~~~~
@@ -338,6 +343,16 @@ variable now appears as an attribute of each option. For example, in a custom
``input_option.html`` template, change ``{% if wrap_label %}`` to
``{% if widget.wrap_label %}``.
+``SameSite`` cookies
+--------------------
+
+The cookies used for ``django.contrib.sessions``, ``django.contrib.messages``,
+and Django's CSRF protection now set the ``SameSite`` flag to ``Lax`` by
+default. Browsers that respect this flag won't send these cookies on
+cross-origin requests. If you rely on the old behavior, set the
+:setting:`SESSION_COOKIE_SAMESITE` and/or :setting:`CSRF_COOKIE_SAMESITE`
+setting to ``None``.
+
Miscellaneous
-------------
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index ce5d8019bd..745c735e46 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -629,6 +629,7 @@ behavior:
* :setting:`SESSION_COOKIE_HTTPONLY`
* :setting:`SESSION_COOKIE_NAME`
* :setting:`SESSION_COOKIE_PATH`
+* :setting:`SESSION_COOKIE_SAMESITE`
* :setting:`SESSION_COOKIE_SECURE`
* :setting:`SESSION_ENGINE`
* :setting:`SESSION_EXPIRE_AT_BROWSER_CLOSE`