#27863: Implement "SameSite" flag for session cookies
--------------------------------------------+------------------------
Reporter: Alex Gaynor | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: 1.10
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
SameSite is a mechanism for telling browsers not to send a cookie on
requests with a different origin. It's not yet widely supported to the
point of being the only CSRF protection (http://caniuse.com/#feat=same-
site-cookie-attribute), but at 50% global deployment, it'd be very useful
for Defense in Depth.
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
I believe simply adding `SameSite=lax` to the session cookie is all that'd
be required to get this protection, and I don't think there'd be any
backwards compatibility concerns (<---- almost certainly not this simple).
--
Ticket URL: <https://code.djangoproject.com/ticket/27863>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.2d54a5b11cb8748ae66ee70dca3aafce%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
