Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie().

Cookies with the "SameSite" flag set to None and without the "secure" flag will be soon rejected by latest browser versions. This affects sessions and messages cookies.
2025-10-24 14:16:09 +00:00 · 2020-07-16 08:16:58 +02:00
parent 156a2138db
commit 240cbb63bf
10 changed files with 66 additions and 10 deletions
--- a/tests/responses/test_cookie.py
+++ b/tests/responses/test_cookie.py
@@ -105,6 +105,7 @@ class DeleteCookieTests(SimpleTestCase):
        self.assertEqual(cookie['path'], '/')
        self.assertEqual(cookie['secure'], '')
        self.assertEqual(cookie['domain'], '')
+        self.assertEqual(cookie['samesite'], '')

    def test_delete_cookie_secure_prefix(self):
        """
@@ -118,3 +119,14 @@ class DeleteCookieTests(SimpleTestCase):
                cookie_name = '__%s-c' % prefix
                response.delete_cookie(cookie_name)
                self.assertIs(response.cookies[cookie_name]['secure'], True)
+
+    def test_delete_cookie_secure_samesite_none(self):
+        # delete_cookie() sets the secure flag if samesite='none'.
+        response = HttpResponse()
+        response.delete_cookie('c', samesite='none')
+        self.assertIs(response.cookies['c']['secure'], True)
+
+    def test_delete_cookie_samesite(self):
+        response = HttpResponse()
+        response.delete_cookie('c', samesite='lax')
+        self.assertEqual(response.cookies['c']['samesite'], 'lax')