Skip to content

gh-136992: Add 'None' as valid SameSite value as per RFC6265bis #137040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 27, 2025
Merged

gh-136992: Add 'None' as valid SameSite value as per RFC6265bis #137040

merged 7 commits into from
Jul 27, 2025
+6 −3

Conversation

iqra-codes
Copy link
Contributor

@iqra-codes iqra-codes commented Jul 23, 2025
edited by bedevere-app bot
Loading

This PR adds missing documentation for the samesite attribute in the http.cookies module.

While the attribute was already listed among valid Morsel attributes, it lacked an explanation. This change adds clear and complete documentation explaining:

-The attribute’s role in CSRF protection.

-The valid values: "Strict", "Lax", and "None".

-The requirement that "secure" must be set when using "SameSite=None".

This update brings the documentation in line with RFC6265bis and reflects current browser behaviour.

📚 Documentation preview 📚: https://cpython-previews--137040.org.readthedocs.build/

@python-cla-bot
Copy link

python-cla-bot bot commented Jul 23, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app bedevere-app bot added awaiting review docs Documentation in the Doc dir skip news labels Jul 23, 2025
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Jul 23, 2025
@brianschubert brianschubert changed the title Doc: Add 'None' as valid SameSite value as per RFC6265bis gh-136992: Add 'None' as valid SameSite value as per RFC6265bis Jul 23, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jul 23, 2025
Open
ZeroIntensity
ZeroIntensity reviewed Jul 23, 2025
View reviewed changes
Copy link
Member

@ZeroIntensity ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good to me, but please run pre-commit to fix the failing lint job.

@ZeroIntensity ZeroIntensity added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jul 23, 2025
ZeroIntensity
ZeroIntensity approved these changes Jul 24, 2025
View reviewed changes
Copy link
Member

@ZeroIntensity ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

For future reference, you don't need to force push; we squash at the end.

@iqra-codes
Copy link
Contributor Author

Thanks for the heads-up! I’ll avoid force-pushing next time.

ZeroIntensity
ZeroIntensity reviewed Jul 24, 2025
View reviewed changes
picnixz
picnixz reviewed Jul 25, 2025
View reviewed changes
picnixz
picnixz reviewed Jul 25, 2025
View reviewed changes
iqra-codes and others added 2 commits July 27, 2025 00:08
@iqra-codes @picnixz
Update Doc/library/http.cookies.rst
19ee8cc 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@iqra-codes
Doc: Update SameSite description to follow RFC wording
5d8ca29
picnixz
picnixz reviewed Jul 26, 2025
View reviewed changes
picnixz
picnixz reviewed Jul 26, 2025
View reviewed changes
picnixz
picnixz reviewed Jul 26, 2025
View reviewed changes
picnixz
picnixz reviewed Jul 26, 2025
View reviewed changes
@picnixz
Copy link
Member

picnixz commented Jul 27, 2025

Now, don't touch your branch at all. No need to update it either.

@picnixz picnixz merged commit ae8b7d7 into python:main Jul 27, 2025
25 checks passed
@github-project-automation github-project-automation bot moved this from Todo to Done in Docs PRs Jul 27, 2025
@miss-islington-app
Copy link

Thanks @iqra-codes for the PR, and @picnixz for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 27, 2025
@iqra-codes @picnixz @miss-islington
pythongh-136992: Add "None" as valid SameSite value as per RFC 6265…
42d3a71 
…bis (pythonGH-137040)

The "SameSite" attribute defined in RFC 6265bis [1] allows the "Strict", "Lax" and "None"
enforcement modes. We already documented "Strict" and "Lax" as being valid values
but "None" was missing from the list. While the RFC has not been formally approved,
modern browsers support the "None" value [2, 3] thereby making sense to document it.

[1]: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
[2]: https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
[3]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#none

---------
(cherry picked from commit ae8b7d7)

Co-authored-by: Iqra Khan <iqraakhan2519@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@picnixz
Copy link
Member

picnixz commented Jul 27, 2025

Thank you for the contribution!

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 27, 2025
@iqra-codes @picnixz @miss-islington
pythongh-136992: Add "None" as valid SameSite value as per RFC 6265…
bdbd78d 
…bis (pythonGH-137040)

The "SameSite" attribute defined in RFC 6265bis [1] allows the "Strict", "Lax" and "None"
enforcement modes. We already documented "Strict" and "Lax" as being valid values
but "None" was missing from the list. While the RFC has not been formally approved,
modern browsers support the "None" value [2, 3] thereby making sense to document it.

[1]: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
[2]: https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
[3]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#none

---------
(cherry picked from commit ae8b7d7)

Co-authored-by: Iqra Khan <iqraakhan2519@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@bedevere-app
Copy link

bedevere-app bot commented Jul 27, 2025

GH-137140 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Jul 27, 2025
@bedevere-app
Copy link

bedevere-app bot commented Jul 27, 2025

GH-137141 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Jul 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZeroIntensity ZeroIntensity ZeroIntensity approved these changes

@picnixz picnixz picnixz approved these changes

Assignees
No one assigned
Labels
docs Documentation in the Doc dir skip news
Projects
Docs PRs
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iqra-codes @picnixz @ZeroIntensity
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy