https://github.com/python/cpython/commit/aab9537cf09dd5ded663e4d6b8016193e0dbc3b2
commit: aab9537cf09dd5ded663e4d6b8016193e0dbc3b2
branch: 3.14
author: Miss Islington (bot) <31488909+miss-isling...@users.noreply.github.com>
committer: hugovk <1324225+hug...@users.noreply.github.com>
date: 2025-07-30T22:43:53+03:00
summary:
[3.14] gh-136992: Add "None" as valid `SameSite` value as per RFC 6265bis
(GH-137040) (#137140)
Co-authored-by: Iqra Khan <iqraakhan2...@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picn...@users.noreply.github.com>
files:
M Doc/library/http.cookies.rst
diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst
index eb196320721194..46efc45c5e7d96 100644
--- a/Doc/library/http.cookies.rst
+++ b/Doc/library/http.cookies.rst
@@ -148,9 +148,12 @@ Morsel Objects
in HTTP requests, and is not accessible through JavaScript. This is intended
to mitigate some forms of cross-site scripting.
- The attribute :attr:`samesite` specifies that the browser is not allowed to
- send the cookie along with cross-site requests. This helps to mitigate CSRF
- attacks. Valid values for this attribute are "Strict" and "Lax".
+ The attribute :attr:`samesite` controls when the browser sends the cookie
with
+ cross-site requests. This helps to mitigate CSRF attacks. Valid values are
+ "Strict" (only sent with same-site requests), "Lax" (sent with same-site
+ requests and top-level navigations), and "None" (sent with same-site and
+ cross-site requests). When using "None", the "secure" attribute must also
+ be set, as required by modern browsers.
The attribute :attr:`partitioned` indicates to user agents that these
cross-site cookies *should* only be available in the same top-level context
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: arch...@mail-archive.com
