From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Wed, 30 Jul 2025 19:43:53 +0000 (+0200) Subject: [3.14] gh-136992: Add "None" as valid `SameSite` value as per RFC 6265bis (GH-137040... X-Git-Tag: v3.14.0rc2~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aab9537cf09dd5ded663e4d6b8016193e0dbc3b2;p=thirdparty%2FPython%2Fcpython.git [3.14] gh-136992: Add "None" as valid `SameSite` value as per RFC 6265bis (GH-137040) (#137140) Co-authored-by: Iqra Khan Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- diff --git a/Doc/library/http.cookies.rst b/Doc/library/http.cookies.rst index eb1963207211..46efc45c5e7d 100644 --- a/Doc/library/http.cookies.rst +++ b/Doc/library/http.cookies.rst @@ -148,9 +148,12 @@ Morsel Objects in HTTP requests, and is not accessible through JavaScript. This is intended to mitigate some forms of cross-site scripting. - The attribute :attr:`samesite` specifies that the browser is not allowed to - send the cookie along with cross-site requests. This helps to mitigate CSRF - attacks. Valid values for this attribute are "Strict" and "Lax". + The attribute :attr:`samesite` controls when the browser sends the cookie with + cross-site requests. This helps to mitigate CSRF attacks. Valid values are + "Strict" (only sent with same-site requests), "Lax" (sent with same-site + requests and top-level navigations), and "None" (sent with same-site and + cross-site requests). When using "None", the "secure" attribute must also + be set, as required by modern browsers. The attribute :attr:`partitioned` indicates to user agents that these cross-site cookies *should* only be available in the same top-level context