Hi Uri
You implied it, but to make it explicit - Django 3.1 allows setting the
value "None" (string) for samesite cookies:
https://docs.djangoproject.com/en/dev/releases/3.1/#django-contrib-sessions
. Essentially you're asking for a backport of this feature.
I think a backport is probably reasonable if sites are broken. You didn't
write in your ticket in what way SameSite=Lax breaks your sites - can you
explain the use cases you need SameSite=None for?
It's also possible to workaround this by using a middleware that's earlier
in MIDDLEWARE than e.g. SessionMiddleware to mutate the cookie in
response.cookies . The cookie object can have its samesite flag changed
with the update() method:
>>> from django.http import HttpResponse
>>> resp = HttpResponse()
>>> resp.set_cookie('foo', 'bar', samesite='Lax')
>>> resp.cookies['foo']
<Morsel: foo=bar; Path=/; SameSite=Lax>
>>> resp.cookies['foo'].update({"samesite": "None"})
>>> resp.cookies["foo"]
<Morsel: foo=bar; Path=/; SameSite=None>
Hope that helps,
Adam
On Sat, 22 Aug 2020 at 18:19, אורי <[email protected]> wrote:
> Django developers,
>
> I just created issue #31933 <https://code.djangoproject.com/ticket/31933>:
>
> It seems that there is a regression in *Set-Cookie* in browsers such as
> Chrome and Dolphin, which affects Django users. *SESSION_COOKIE_SAMESITE
> = None* does not work any more with those browsers. This affects all
> versions of Django, and especially where it's not possible to explicitly
> set cookies to *SameSite=None* (Django <= 3.0).
>
> You can read about it in the following links:
>
> Cookies default to SameSite=Lax
> <https://www.chromestatus.com/feature/5088147346030592>
> Reject insecure SameSite=None cookies
> <https://www.chromestatus.com/feature/5633521622188032>
>
> You can see more information in the question
> <https://stackoverflow.com/q/63538073/1412564> I just asked on Stack
> Overflow.
>
> I think it should be made possible to explicitly set cookies to
> *SameSite=None*, also in settings such as *SESSION_COOKIE_SAMESITE*, and
> backport it to all working versions of Django.
>
> אורי
> [email protected]
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CABD5YeFnd0p5WmaLsePKzbeO_pR4xrZ5cE7%2BVgfhzHyjgB7uTw%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-developers/CABD5YeFnd0p5WmaLsePKzbeO_pR4xrZ5cE7%2BVgfhzHyjgB7uTw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
Adam
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/CAMyDDM3Km%3D4pjrWEsWLj1KzTS%3DaYws_BoShEMWtxR0UQE%3DAjUA%40mail.gmail.com.
