Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.

Thanks Florian Apolloner and Carlton Gibson for reviews.

1 files changed, 11 insertions, 0 deletions

diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index e095787363..7a8b4b3082 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -833,9 +833,16 @@ Methods
       isn't supported by all browsers, so it's not a replacement for Django's
       CSRF protection, but rather a defense in depth measure.
 
+      Use ``samesite='None'`` (string) to explicitly state that this cookie is
+      sent with all same-site and cross-site requests.
+
     .. _HttpOnly: https://www.owasp.org/index.php/HttpOnly
     .. _SameSite: https://www.owasp.org/index.php/SameSite
 
+    .. versionchanged:: 3.1
+
+        Using ``samesite='None'`` (string) was allowed.
+
     .. warning::
 
         :rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
@@ -853,6 +860,10 @@ Methods
     you will need to remember to pass it to the corresponding
     :meth:`HttpRequest.get_signed_cookie` call.
 
+    .. versionchanged:: 3.1
+
+        Using ``samesite='None'`` (string) was allowed.
+
 .. method:: HttpResponse.delete_cookie(key, path='/', domain=None)
 
     Deletes the cookie with the given key. Fails silently if the key doesn't