summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorOsaetin Daniel <osaetindaniel@gmail.com>2019-10-09 07:42:55 -0400
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-12-12 10:52:31 +0100
commitb33bfc383935cd26e19a2cf71d066ac6edd1425f (patch)
tree660d196a06d609d7ed98c4052c93d584fb2b5948 /docs
parent14e690ae5a6d4ddeb1ac021f78e2e6e333214ef8 (diff)
Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.
Thanks Florian Apolloner and Carlton Gibson for reviews.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/request-response.txt11
-rw-r--r--docs/ref/settings.txt17
-rw-r--r--docs/releases/3.1.txt16
3 files changed, 40 insertions, 4 deletions
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index e095787363..7a8b4b3082 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -833,9 +833,16 @@ Methods
isn't supported by all browsers, so it's not a replacement for Django's
CSRF protection, but rather a defense in depth measure.
+ Use ``samesite='None'`` (string) to explicitly state that this cookie is
+ sent with all same-site and cross-site requests.
+
.. _HttpOnly: https://www.owasp.org/index.php/HttpOnly
.. _SameSite: https://www.owasp.org/index.php/SameSite
+ .. versionchanged:: 3.1
+
+ Using ``samesite='None'`` (string) was allowed.
+
.. warning::
:rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
@@ -853,6 +860,10 @@ Methods
you will need to remember to pass it to the corresponding
:meth:`HttpRequest.get_signed_cookie` call.
+ .. versionchanged:: 3.1
+
+ Using ``samesite='None'`` (string) was allowed.
+
.. method:: HttpResponse.delete_cookie(key, path='/', domain=None)
Deletes the cookie with the given key. Fails silently if the key doesn't
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 3c360cf284..1d92c50026 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -383,6 +383,10 @@ cookie from being sent in cross-site requests.
See :setting:`SESSION_COOKIE_SAMESITE` for details about ``SameSite``.
+.. versionchanged:: 3.1
+
+ Setting ``CSRF_COOKIE_SAMESITE = 'None'`` was allowed.
+
.. setting:: CSRF_COOKIE_SECURE
``CSRF_COOKIE_SECURE``
@@ -1862,6 +1866,10 @@ cookie from being sent in cross-site requests.
See :setting:`SESSION_COOKIE_SAMESITE` for details about ``SameSite``.
+.. versionchanged:: 3.1
+
+ Setting ``LANGUAGE_COOKIE_SAMESITE = 'None'`` was allowed.
+
.. setting:: LANGUAGE_COOKIE_SECURE
``LANGUAGE_COOKIE_SECURE``
@@ -3208,7 +3216,14 @@ Possible values for the setting are:
regular link from an external website and be blocked in CSRF-prone request
methods (e.g. ``POST``).
-* ``None``: disables the flag.
+* ``'None'`` (string): the session cookie will be sent with all same-site and
+ cross-site requests.
+
+* ``False``: disables the flag.
+
+.. versionchanged:: 3.1
+
+ Setting ``SESSION_COOKIE_SAMESITE = 'None'`` was allowed.
.. _SameSite: https://www.owasp.org/index.php/SameSite
diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt
index 7ae21330a6..2e15f62860 100644
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -105,7 +105,9 @@ Minor features
:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-* ...
+* The :setting:`SESSION_COOKIE_SAMESITE` setting now allows ``'None'`` (string)
+ value to explicitly state that the cookie is sent with all same-site and
+ cross-site requests.
:mod:`django.contrib.sitemaps`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -141,7 +143,9 @@ Cache
CSRF
~~~~
-* ...
+* The :setting:`CSRF_COOKIE_SAMESITE` setting now allows ``'None'`` (string)
+ value to explicitly state that the cookie is sent with all same-site and
+ cross-site requests.
Email
~~~~~
@@ -173,7 +177,9 @@ Generic Views
Internationalization
~~~~~~~~~~~~~~~~~~~~
-* ...
+* The :setting:`LANGUAGE_COOKIE_SAMESITE` setting now allows ``'None'``
+ (string) value to explicitly state that the cookie is sent with all same-site
+ and cross-site requests.
Logging
~~~~~~~
@@ -232,6 +238,10 @@ Requests and Responses
* If :setting:`ALLOWED_HOSTS` is empty and ``DEBUG=True``, subdomains of
localhost are now allowed in the ``Host`` header, e.g. ``static.localhost``.
+* :meth:`.HttpResponse.set_cookie` and :meth:`.HttpResponse.set_signed_cookie`
+ now allow using ``samesite='None'`` (string) to explicitly state that the
+ cookie is sent with all same-site and cross-site requests.
+
Serialization
~~~~~~~~~~~~~