Fixed #27863 -- Added support for the SameSite cookie flag.

Thanks Alex Gaynor for contributing to the patch.

1 files changed, 17 insertions, 2 deletions

diff --git a/docs/releases/2.1.txt b/docs/releases/2.1.txt
index d7737e486a..9044c3cd70 100644
--- a/docs/releases/2.1.txt
+++ b/docs/releases/2.1.txt
@@ -112,7 +112,8 @@ Minor features
 :mod:`django.contrib.sessions`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-* ...
+* Added the :setting:`SESSION_COOKIE_SAMESITE` setting to set the ``SameSite``
+  cookie flag on session cookies.
 
 :mod:`django.contrib.sitemaps`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -143,7 +144,8 @@ Cache
 CSRF
 ~~~~
 
-* ...
+* Added the :setting:`CSRF_COOKIE_SAMESITE` setting to set the ``SameSite``
+  cookie flag on CSRF cookies.
 
 Database backends
 ~~~~~~~~~~~~~~~~~
@@ -239,6 +241,9 @@ Requests and Responses
 
 * Added :meth:`.HttpRequest.get_full_path_info`.
 
+* Added the ``samesite`` argument to :meth:`.HttpResponse.set_cookie` to allow
+  setting the ``SameSite`` cookie flag.
+
 Serialization
 ~~~~~~~~~~~~~
 
@@ -338,6 +343,16 @@ variable now appears as an attribute of each option. For example, in a custom
 ``input_option.html`` template, change ``{% if wrap_label %}`` to
 ``{% if widget.wrap_label %}``.
 
+``SameSite`` cookies
+--------------------
+
+The cookies used for ``django.contrib.sessions``, ``django.contrib.messages``,
+and Django's CSRF protection now set the ``SameSite`` flag to ``Lax`` by
+default. Browsers that respect this flag won't send these cookies on
+cross-origin requests. If you rely on the old behavior, set the
+:setting:`SESSION_COOKIE_SAMESITE` and/or :setting:`CSRF_COOKIE_SAMESITE`
+setting to ``None``.
+
 Miscellaneous
 -------------