[Django] #31871: SESSION_COOKIE_SAMESITE is not correctly documented on django.conf.global_settings
Django
django.conf.global_settings
-----------------------------------------+------------------------
Reporter: אורי | Owner: nobody
Type: Uncategorized | Status: new
Component: Core (Other) | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
https://github.com/django/django/blob/master/django/conf/global_settings.py#L472-L473
{{{
# Whether to set the flag restricting cookie leaks on cross-site requests.
# This can be 'Lax', 'Strict', or None to disable the flag.
}}}
This is not what is written in
https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SAMESITE
As a side note, I understand that using `None` can also disable the flag -
not only `False`, and I think this should be documented (since `None` was
the way to disable the flag with Django <= 3.0 - so it should be
documented that `None` still works like before).
--
Ticket URL: <https://code.djangoproject.com/ticket/31871>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
--------------------------------------+------------------------------------
Reporter: אורי | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
--------------------------------------+------------------------------------
Changes (by felixxm):
* type: Uncategorized => Cleanup/optimization
* version: master => 3.1
* easy: 0 => 1
* stage: Unreviewed => Accepted
Comment:
Agreed, we should update comments in `django/conf/global_settings.py`:
{{{
# Whether to set the flag restricting cookie leaks on cross-site requests.
# This can be 'Lax', 'Strict', 'None', or False to disable the flag.
}}}
> As a side note, I understand that using None can also disable the flag -
not only False, and I think this should be documented (since None was the
way to disable the flag with Django <= 3.0 - so it should be documented
that None still works like before).
Yes you can use `None` but it's not a recommended, we've changed `None` to
`False` in docs to avoid confusions with `'none'` (see
[https://github.com/django/django/pull/11894#discussion_r356541094
comments]) and IMO we shouldn't bring it back in docs.
--
Ticket URL: <https://code.djangoproject.com/ticket/31871#comment:1>
Django
--------------------------------------+------------------------------------
Type: Cleanup/optimization | Status: new
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
--------------------------------------+------------------------------------
Comment (by אורי):
[https://github.com/django/django/pull/13288 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/31871#comment:2>
Django
Reporter: אורי | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):
* has_patch: 0 => 1
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/31871#comment:3>
Django
-------------------------------------+-------------------------------------
Type: | Status: closed
Cleanup/optimization |
Component: Core (Other) | Version: 3.1
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"ad827ddaef05069a1385cc2d26fd2ab9c6ba1f4d" ad827dda]:
{{{
#!CommitTicketReference repository=""
revision="ad827ddaef05069a1385cc2d26fd2ab9c6ba1f4d"
Fixed #31871 -- Updated SESSION_COOKIE_SAMESITE comment in
global_settings.py.
Follow up to b33bfc383935cd26e19a2cf71d066ac6edd1425f.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31871#comment:4>
Django
-------------------------------------+-------------------------------------
Type: | Status: closed
Cleanup/optimization |
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"a1ce98fa6fba82fc0606b59a0e57b061d8997174" a1ce98fa]:
{{{
#!CommitTicketReference repository=""
revision="a1ce98fa6fba82fc0606b59a0e57b061d8997174"
[3.1.x] Fixed #31871 -- Updated SESSION_COOKIE_SAMESITE comment in
global_settings.py.
Follow up to b33bfc383935cd26e19a2cf71d066ac6edd1425f.
Backport of ad827ddaef05069a1385cc2d26fd2ab9c6ba1f4d from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31871#comment:5>