Language cookie samesite implementation

Hello!
I am using Django for my webapp.

A part of it is delivered in iframes, having functionality that changes the language cookie upon an outside request.
Everything works perfectly now but as you know in future, Google will setup Chrome not to deliver cookies in iframes unless they are set with samesite=none.

My questions are:
First, as introduced in Django 3 is the LANGUAGE_COOKIE_SAMESITE. Is setting that to ‘None’ will fix the Chrome warnings?

Then, as it seems here https://code.djangoproject.com/ticket/30862 Django has the feature to set the cookie to None but it is not yet implemented. When will this happens and how much time does it take usually for stuff like this to be imported.

as you know

I didn’t know that :slight_smile:

Then, as it seems here https://code.djangoproject.com/ticket/30862 Django has the feature to set the cookie to None but it is not yet implemented.

That ticket is closed with a PR merged for Django 3.1. You could use that today by installing Django from a specific commit on github (guide to installing from github), although this would mean using the unreleased pre-alpha Django.

Alternatively, and more safely, I think you should be able to implement a custom middleware that manipulates response.cookies appropriately so you can catch the language cookie being set and change its samesite setting.

Here is more info about that - https://www.chromestatus.com/feature/5088147346030592

If you like, I could explain my funcionality better.

Ah cool, thanks for the link

Hey folks. I am in the process of fixing this for a project. We are either going to write a thin middleware ourselves or plug in this package: https://pypi.org/project/django-cookies-samesite/

There is some support in Django 2.1 for the SameSite header - so check you can support the feature already. I am not clear what is different in 3.1 and 2.1 regarding this header.

We’re using django-cookies-samesite at Doctor on Demand. The problem that’s fixed by this PR for a future Django release is that the current version of SameSite handling does not support 'None' as a value (it only supported 'Lax' and 'Strict' initially).

We needed this feature to handle the changes that are coming soon from the Chrome team regarding SameSite. So far, we’ve been happy with django-cookies-samesite.

Hey mblayman, thanks for your reply. What version of Django are you on? We’re 2.2.11 right now. I’m testing out django-cookies-samesite right now :slight_smile:

I’m not super confident that the Doctor on Demand security team would be very excited for me to share that publicly so I’ll just say that it’s one of the currently supported versions. Sorry I can’t be more specific publicly.

1 Like