Support samesite option in AuthtktAuthenticationPolicy and CookieCSRFStoragePolicy #3319
Conversation
|
It would be good to add a mention of what are same site cookies, why a developer would want to use them, and what the setting does in the narrative documentation. Perhaps in Security? Are we going to support Lax only, or Strict, too? Finally perhaps linking to the change in WebOb would be useful? |
| Default: ``'Lax'``. The 'samesite' option of the session cookie. Set | ||
| the value to ``None`` to turn off the samesite option. | ||
|
|
||
| This option is available as of :app:`Pyramid` 1.10. |
There was a problem hiding this comment.
Move the version info down to a `.. versionchanged:: 1.10directive at the bottom of the docstring and document it as "Added thesamesite`` option and made the default ``'Lax'``." similar to below in the csrf storage policy.
CHANGES.rst
Outdated
| - Modify ``pyramid.authentication.AuthTktAuthenticationPolicy`` and | ||
| ``pyramid.csrf.CookieCSRFStoragePolicy`` to support the SameSite option on | ||
| cookies. See https://github.com/Pylons/pyramid/pull/3319 | ||
|
|
There was a problem hiding this comment.
Document that the default value was changed to Lax.
This is fine but I don't think it's required for this PR. That has more to do with speculative best practices and hardening like #1845 is requesting.
lax/strict is not something to "support", it's just something that gets set on the cookie and the browser handles.
I don't think that's useful. |
|
@mcdonc please run the following commands: So next time you branch from |
|
Is this expected to be released any time soon ? |
|
@AvnerCohen no hard date yet. Progress on the release of Pyramid 1.10 is tracked in its milestone. The four "docs" tagged issues are nearly complete or will be dropped from the milestone. Other issues are in progress. Feedback is sought. |
See #2733