Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.

Thanks Florian Apolloner and Carlton Gibson for reviews.
2025-10-31 09:41:08 +00:00 · 2019-10-09 07:42:55 -04:00
parent 14e690ae5a
commit b33bfc3839
5 changed files with 46 additions and 7 deletions
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -105,7 +105,9 @@ Minor features
 :mod:`django.contrib.sessions`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-* ...
+* The :setting:`SESSION_COOKIE_SAMESITE` setting now allows ``'None'`` (string)
+  value to explicitly state that the cookie is sent with all same-site and
+  cross-site requests.

 :mod:`django.contrib.sitemaps`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -141,7 +143,9 @@ Cache
 CSRF
 ~~~~

-* ...
+* The :setting:`CSRF_COOKIE_SAMESITE` setting now allows ``'None'`` (string)
+  value to explicitly state that the cookie is sent with all same-site and
+  cross-site requests.

 Email
 ~~~~~
@@ -173,7 +177,9 @@ Generic Views
 Internationalization
 ~~~~~~~~~~~~~~~~~~~~

-* ...
+* The :setting:`LANGUAGE_COOKIE_SAMESITE` setting now allows ``'None'``
+  (string) value to explicitly state that the cookie is sent with all same-site
+  and cross-site requests.

 Logging
 ~~~~~~~
@@ -232,6 +238,10 @@ Requests and Responses
 * If :setting:`ALLOWED_HOSTS` is empty and ``DEBUG=True``, subdomains of
  localhost are now allowed in the ``Host`` header, e.g. ``static.localhost``.

+* :meth:`.HttpResponse.set_cookie` and :meth:`.HttpResponse.set_signed_cookie`
+  now allow using ``samesite='None'`` (string) to explicitly state that the
+  cookie is sent with all same-site and cross-site requests.
+
 Serialization
 ~~~~~~~~~~~~~