[Django] #30862: Explicitly set SameSite: None cookies
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin | Owner: nobody
Daniel |
Type: Bug | Status: new
Component: | Version: 2.2
contrib.sessions | Keywords:
Severity: Normal | cookies,request,response
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
When setting cookies (with `.set_cookie` and `set_signed_cookie`) the
default value for the `samesite` argument is None but the problem here is
that Django doesn't do anything with the `None` value.
This behaviour used to be fine because most browsers assumed that a
missing `samesite` attribute on a cookie meant None. But now, Chrome has
issued a warning that `samesite` has to be explicitly set to None else the
cookies won't be sent for cross-origin requests.
https://www.chromestatus.com/feature/5633521622188032
--
Ticket URL: <https://code.djangoproject.com/ticket/30862>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
cookies,request,response |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* component: contrib.sessions => HTTP handling
* stage: Unreviewed => Accepted
Comment:
Hi.
The link you've given implies that if `samesite` is `None` then we
**must** set `secure` —
[https://github.com/django/django/blob/5d9cf79baf07fc4aed7ad1b06990532a65378155/django/http/response.py#L198-L201
we're not doing that] so we should add an extra clause in there.
> Chrome has issued a warning that samesite has to be explicitly set to
None else the cookies won't be sent for cross-origin requests.
Is this the same point? (It reads differently to me at first glance.)
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: nobody
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
cookies,request,response |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Osaetin Daniel):
Replying to [comment:1 Carlton Gibson]:
> Hi.
>
> The link you've given implies that if `samesite` is `None` then we
**must** set `secure` —
[https://github.com/django/django/blob/5d9cf79baf07fc4aed7ad1b06990532a65378155/django/http/response.py#L198-L201
we're not doing that] so we should add an extra clause in there.
>
> > Chrome has issued a warning that samesite has to be explicitly set to
None else the cookies won't be sent for cross-origin requests.
>
> Is this the same point? (It reads differently to me at first glance.)
My bad. The title of the ticket is misleading What I meant to say was to
"allow the option to set 'same-site' to 'None'". At the moment, you can
only set it to "Strict" or "Lax".
This statement "The link you've given implies that if `samesite` is `None`
then we **must** set `secure`" is correct but I think the best thing is to
be as flexible as possible. Although Chrome's warning has good intentions,
it is not a global browser standard and other users (For reasons best
known to them) might want to set the `secure` flag without `samesite` and
vice-versa.
So in this case, the best option, In my opinion, is to allow "None" (as a
string) without enforcing `secure=True` and at the same time preserve the
current behaviour.
Perhaps I jumped the gun with this but I've already opened a PR that
communicates my intentions: https://github.com/django/django/pull/11894
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: nobody
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
cookies,request,response |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
OK, thank for the update. Makes sense. I've re-titled again accordingly.
> ...I've already opened a PR ...
Gun jumping of that kind we very much like. 🙂
Thanks.
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: nobody
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
cookies,request,response |
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
* needs_tests: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:4>
Django
-------------------------------------+-------------------------------------
| Daniel
Type: Bug | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
cookies,request,response |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => assigned
* needs_better_patch: 1 => 0
* version: 2.2 => master
* owner: nobody => Osaetin Daniel
* needs_tests: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: Osaetin
| Daniel
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
cookies,request,response |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* type: Bug => New feature
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: Osaetin
| Daniel
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
cookies,request,response | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: Osaetin Daniel | Owner: Osaetin
| Daniel
Component: HTTP handling | Version: master
Keywords: | Triage Stage: Ready for
cookies,request,response | checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"b33bfc383935cd26e19a2cf71d066ac6edd1425f" b33bfc3]:
{{{
#!CommitTicketReference repository=""
revision="b33bfc383935cd26e19a2cf71d066ac6edd1425f"
Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.
Thanks Florian Apolloner and Carlton Gibson for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30862#comment:8>