CORS_ALLOW_CREDENTIALS documentation should include a note about cookie samesite settings
jonathan-golorry opened this issue · comments
CORS_ALLOW_CREDENTIALS allows cookies to be sent in cross-domain responses, but the default settings on SESSION_COOKIE_SAMESITE is "Lax" instead of None, meaning the cookie won't get sent anyway. It isn't required, since there might be other cookies you want to send, but a note would be nice.
PR welcome, it seems your report is half way to a docs note already!
On Fri, 12 Oct 2018 at 11:00, jonathan-golorry ***@***.***> wrote:
CORS_ALLOW_CREDENTIALS allows cookies to be sent in cross-domain
responses, but the default settings on SESSION_COOKIE_SAMESITE is "Lax"
instead of None, meaning the cookie won't get sent anyway. It isn't
required, since there might be other cookies you want to send, but a note
would be nice.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#344>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AA0WCTsSOR30Bsw_XHJSzOz8ScG3OL1Oks5ukGhRgaJpZM4XZK-W>
.
--
Adam
@jonathan-golorry Thank you for your comment. I have spent almost 1 day trying to find where the trouble is.
@jonathan-golorry @mark-slepkov I've added a note in #387. Would you mind fact-checking it? Thanks!
And @luc-phan if you have any input too since you 👍 'd the comment above!
Looks good. I don't think this matters for CSRF_COOKIE_SAMESITE, since that shouldn't be going through CORS.
Indeed it should not!