Re: Regression in Set-Cookie which affects Django users

django-cookie-samesite has a browser version guesser, because different browsers interpret samesite differently. The best solution I've heard of is setting two cookies with two different names, one the old way and one the google way. Then check for both where checking needs done, one of them

Re: Regression in Set-Cookie which affects Django users

On Sun, Aug 23, 2020 at 8:19 AM Mariusz Felisiak wrote: > It's not about the number of lines but about our backporting policy > . We > don't backport new features. Moreover Django 2.2 and 3.0 are in extended > support. Per our

Re: Regression in Set-Cookie which affects Django users

It's not about the number of lines but about our backporting policy . We don't backport new features. Moreover Django 2.2 and 3.0 are in extended support. Per our backporting policy this means it doesn't qualify for a backport.

Re: Regression in Set-Cookie which affects Django users

Hi, I looked at it and I think PR #11894 should be backported to all working versions of Django. It doesn't look like it will introduce new bugs or regressions. All I need is these 2 lines: if samesite.lower() not in ('lax', 'strict'): raise ValueError('samesite must be "lax" or "strict".') if

Re: Regression in Set-Cookie which affects Django users

On Sat, Aug 22, 2020 at 10:07 PM Adam Johnson wrote: > (The workaround is in this comment: > https://github.com/django/django/pull/11894#issuecomment-577681440 , and > if you want, a package: https://github.com/jotes/django-cookies-samesite ) > Thank you. I was not aware of this package and

Re: Regression in Set-Cookie which affects Django users

On Sat, Aug 22, 2020 at 9:48 PM Mariusz Felisiak wrote: > We decided that it's a new feature that will not be backported to Django > 3.0, see #30862 , and > discussion in PR (with few > simple

Re: Regression in Set-Cookie which affects Django users

On Sat, Aug 22, 2020 at 9:34 PM Adam Johnson wrote: > Hi Uri > > You implied it, but to make it explicit - Django 3.1 allows setting the > value "None" (string) for samesite cookies: > https://docs.djangoproject.com/en/dev/releases/3.1/#django-contrib-sessions > . Essentially you're asking for a

Re: Regression in Set-Cookie which affects Django users

(The workaround is in this comment: https://github.com/django/django/pull/11894#issuecomment-577681440 , and if you want, a package: https://github.com/jotes/django-cookies-samesite ) On Sat, 22 Aug 2020 at 19:48, Mariusz Felisiak wrote: > We decided that it's a new feature that will not be

Re: Regression in Set-Cookie which affects Django users

We decided that it's a new feature that will not be backported to Django 3.0, see #30862 , and discussion in PR (with few simple workarounds). Best, Mariusz -- You received this message because you are

Re: Regression in Set-Cookie which affects Django users

Hi Uri You implied it, but to make it explicit - Django 3.1 allows setting the value "None" (string) for samesite cookies: https://docs.djangoproject.com/en/dev/releases/3.1/#django-contrib-sessions . Essentially you're asking for a backport of this feature. I think a backport is probably

Regression in Set-Cookie which affects Django users

Django developers, I just created issue #31933 : It seems that there is a regression in *Set-Cookie* in browsers such as Chrome and Dolphin, which affects Django users. *SESSION_COOKIE_SAMESITE = None* does not work any more with those browsers. This