https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
I believe simply adding `SameSite=lax` to the session cookie is all that'd
be required to get this protection, and I don't think there'd be any
backwards compatibility concerns (<---- almost certainly not this simple).
--
Ticket URL: <https://code.djangoproject.com/ticket/27863>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Comment (by Alex Gaynor):
Note: this requires a change to the stdlib `cookies` module:
https://github.com/python/cpython/pull/214 I suspect with some hackery
this can be worked around in Django though.
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:1>
* owner: nobody => Paweł Krawczyk
* status: new => assigned
Comment:
This can be implemented in HttpResponse.set_cookie() alone. I have just
sent a pull-request on GitHub for that.
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:2>
* has_patch: 0 => 1
Comment:
PR https://github.com/django/django/pull/8380
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:3>
* version: 1.10 => master
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:4>
* needs_docs: 0 => 1
* component: contrib.sessions => HTTP handling
* needs_tests: 0 => 1
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:5>
* owner: Paweł Krawczyk => shangdahao
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:6>
* status: assigned => new
* owner: hui shang => (none)
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:7>
* needs_docs: 1 => 0
* needs_tests: 1 => 0
Comment:
[https://github.com/django/django/pull/9860 New PR] (still needs some
work)
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:6>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a" 9a56b4b1]:
{{{
#!CommitTicketReference repository=""
revision="9a56b4b13ed92d2d5bb00d6bdb905a73bc5f2f0a"
Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27863#comment:7>