Skip to content

gh-136992: Add 'None' as valid SameSite value as per RFC6265bis #137040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

gh-136992: Add 'None' as valid SameSite value as per RFC6265bis #137040

wants to merge 2 commits into from
+6 −3

Conversation

iqra-codes
Copy link

@iqra-codes iqra-codes commented Jul 23, 2025
edited by bedevere-app bot
Loading

This PR adds missing documentation for the samesite attribute in the http.cookies module.

While the attribute was already listed among valid Morsel attributes, it lacked an explanation. This change adds clear and complete documentation explaining:

-The attribute’s role in CSRF protection.

-The valid values: "Strict", "Lax", and "None".

-The requirement that "secure" must be set when using "SameSite=None".

This update brings the documentation in line with RFC6265bis and reflects current browser behaviour.

📚 Documentation preview 📚: https://cpython-previews--137040.org.readthedocs.build/

@python-cla-bot
Copy link

python-cla-bot bot commented Jul 23, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app bedevere-app bot added awaiting review docs Documentation in the Doc dir skip news labels Jul 23, 2025
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Jul 23, 2025
@brianschubert brianschubert changed the title Doc: Add 'None' as valid SameSite value as per RFC6265bis gh-136992: Add 'None' as valid SameSite value as per RFC6265bis Jul 23, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jul 23, 2025
Open
ZeroIntensity
ZeroIntensity reviewed Jul 23, 2025
View reviewed changes
Copy link
Member

@ZeroIntensity ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good to me, but please run pre-commit to fix the failing lint job.

@ZeroIntensity ZeroIntensity added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jul 23, 2025
ZeroIntensity
ZeroIntensity approved these changes Jul 24, 2025
View reviewed changes
Copy link
Member

@ZeroIntensity ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

For future reference, you don't need to force push; we squash at the end.

@iqra-codes
Copy link
Author

Thanks for the heads-up! I’ll avoid force-pushing next time.

ZeroIntensity
ZeroIntensity reviewed Jul 24, 2025
View reviewed changes
picnixz
picnixz reviewed Jul 25, 2025
View reviewed changes
Doc/library/http.cookies.rst
Comment on lines +151 to +155
The attribute :attr:`samesite` controls when the browser sends the cookie with
cross-site requests. This helps to mitigate CSRF attacks. Valid values are
"Strict" (never sent with cross-site requests), "Lax" (sent with top-level
navigation), and "None" (always sent). When using "None", the "secure"
attribute must also be set, as required by modern browsers.
Copy link
Member

@picnixz picnixz Jul 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The attribute :attr:`samesite` controls when the browser sends the cookie with
cross-site requests. This helps to mitigate CSRF attacks. Valid values are
"Strict" (never sent with cross-site requests), "Lax" (sent with top-level
navigation), and "None" (always sent). When using "None", the "secure"
attribute must also be set, as required by modern browsers.
The attribute :attr:`samesite` controls when the browser sends the cookie with
cross-site requests. This helps to mitigate CSRF attacks. Valid values are
"Strict" (only sent with same-site requests), "Lax" (sent with same-site
requests and top-level navigations), and "None" (sent with same-site and
cross-site requests). When using "None", the "secure" attribute must also
be set, as required by modern browsers.

Let's use the same wording as the RFC.

picnixz
picnixz reviewed Jul 25, 2025
View reviewed changes
Doc/library/http.cookies.rst
"Strict" (never sent with cross-site requests), "Lax" (sent with top-level
navigation), and "None" (always sent). When using "None", the "secure"
attribute must also be set, as required by modern browsers.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picnixz picnixz picnixz left review comments

@ZeroIntensity ZeroIntensity ZeroIntensity approved these changes

Assignees
No one assigned
Labels
awaiting merge docs Documentation in the Doc dir needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes skip news
Projects
Docs PRs
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iqra-codes @picnixz @ZeroIntensity
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy