A part of it is delivered in iframes, having functionality that changes the language cookie upon an outside request.
Everything works perfectly now but as you know in future, Google will setup Chrome not to deliver cookies in iframes unless they are set with samesite=none.
My questions are:
First, as introduced in Django 3 is the LANGUAGE_COOKIE_SAMESITE. Is setting that to ‘None’ will fix the Chrome warnings?
Then, as it seems here https://code.djangoproject.com/ticket/30862 Django has the feature to set the cookie to None but it is not yet implemented. When will this happens and how much time does it take usually for stuff like this to be imported.
That ticket is closed with a PR merged for Django 3.1. You could use that today by installing Django from a specific commit on github (guide to installing from github), although this would mean using the unreleased pre-alpha Django.
Alternatively, and more safely, I think you should be able to implement a custom middleware that manipulates response.cookies appropriately so you can catch the language cookie being set and change its samesite setting.
There is some support in Django 2.1 for the SameSite header - so check you can support the feature already. I am not clear what is different in 3.1 and 2.1 regarding this header.
We’re using django-cookies-samesite at Doctor on Demand. The problem that’s fixed by this PR for a future Django release is that the current version of SameSite handling does not support 'None' as a value (it only supported 'Lax' and 'Strict' initially).
We needed this feature to handle the changes that are coming soon from the Chrome team regarding SameSite. So far, we’ve been happy with django-cookies-samesite.
I’m not super confident that the Doctor on Demand security team would be very excited for me to share that publicly so I’ll just say that it’s one of the currently supported versions. Sorry I can’t be more specific publicly.
