CORS_ALLOW_CREDENTIALS documentation should include a note about cookie samesite settings
jonathan-golorry opened this issue · comments
CORS_ALLOW_CREDENTIALS
allows cookies to be sent in cross-domain responses, but the default settings on SESSION_COOKIE_SAMESITE
is "Lax"
instead of None
, meaning the cookie won't get sent anyway. It isn't required, since there might be other cookies you want to send, but a note would be nice.
@jonathan-golorry Thank you for your comment. I have spent almost 1 day trying to find where the trouble is.
@jonathan-golorry @mark-slepkov I've added a note in #387. Would you mind fact-checking it? Thanks!
And @luc-phan if you have any input too since you 👍 'd the comment above!
Looks good. I don't think this matters for CSRF_COOKIE_SAMESITE
, since that shouldn't be going through CORS.
Indeed it should not!