[3.14] gh-136992: Add "None" as valid `SameSite` value as per RFC 6265bis (GH-137040...

Co-authored-by: Iqra Khan <iqraakhan2519@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>

diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst
index eb19632072119455ee79a414c9e9e84bb84a8aff..46efc45c5e7d96c0b7ca27491e0ffaefcd040046 100644 (file)
--- a/Doc/library/http.cookies.rst
+++ b/Doc/library/http.cookies.rst
@@ -148,9 +148,12 @@ Morsel Objects
    in HTTP requests, and is not accessible through JavaScript. This is intended
    to mitigate some forms of cross-site scripting.
 
-   The attribute :attr:`samesite` specifies that the browser is not allowed to
-   send the cookie along with cross-site requests. This helps to mitigate CSRF
-   attacks. Valid values for this attribute are "Strict" and "Lax".
+   The attribute :attr:`samesite` controls when the browser sends the cookie with
+   cross-site requests. This helps to mitigate CSRF attacks. Valid values are
+   "Strict" (only sent with same-site requests), "Lax" (sent with same-site
+   requests and top-level navigations), and "None" (sent with same-site and
+   cross-site requests). When using "None", the "secure" attribute must also
+   be set, as required by modern browsers.
 
    The attribute :attr:`partitioned` indicates to user agents that these
    cross-site cookies *should* only be available in the same top-level context