forked from orbit-oss/flask
clean up samesite docs
This commit is contained in:
David Lord
parent
db5735c3ce
commit
382b13581e
4 changed files with 33 additions and 30 deletions
|
|
@ -210,12 +210,14 @@ The following configuration values are used internally by Flask:
|
|||
|
||||
.. py:data:: SESSION_COOKIE_SAMESITE
|
||||
|
||||
Browser will only send cookies to the domain that created them.
|
||||
There are two possible values for the same-site attribute: "Strict" and "Lax"
|
||||
If set to "None", the samesite flag is not set.
|
||||
Restrict how cookies are sent with requests from external sites. Can
|
||||
be set to ``'Lax'`` (recommended) or ``'Strict'``.
|
||||
See :ref:`security-cookie`.
|
||||
|
||||
Default: ``None``
|
||||
|
||||
.. versionadded:: 1.0
|
||||
|
||||
.. py:data:: PERMANENT_SESSION_LIFETIME
|
||||
|
||||
If ``session.permanent`` is true, the cookie's expiration will be set this
|
||||
|
|
@ -369,13 +371,15 @@ The following configuration values are used internally by Flask:
|
|||
``LOGGER_HANDLER_POLICY``, ``EXPLAIN_TEMPLATE_LOADING``
|
||||
|
||||
.. versionchanged:: 1.0
|
||||
|
||||
``LOGGER_NAME`` and ``LOGGER_HANDLER_POLICY`` were removed. See
|
||||
:ref:`logging` for information about configuration.
|
||||
|
||||
Added :data:`ENV` to reflect the :envvar:`FLASK_ENV` environment
|
||||
variable.
|
||||
|
||||
Added :data:`SESSION_COOKIE_SAMESITE` to control the session
|
||||
cookie's ``SameSite`` option.
|
||||
|
||||
|
||||
Configuring from Files
|
||||
----------------------
|
||||
|
|
|
|||
|
|
@ -184,6 +184,9 @@ contains the same data. ::
|
|||
|
||||
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
|
||||
|
||||
.. _security-cookie:
|
||||
|
||||
Set-Cookie options
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
@ -194,19 +197,21 @@ They can be set on other cookies too.
|
|||
- ``Secure`` limits cookies to HTTPS traffic only.
|
||||
- ``HttpOnly`` protects the contents of cookies from being read with
|
||||
JavaScript.
|
||||
- ``SameSite`` ensures that cookies can only be requested from the same
|
||||
domain that created them. There are two possible values for the same-site
|
||||
attribute: "Strict" and "Lax"
|
||||
- ``SameSite`` restricts how cookies are sent with requests from
|
||||
external sites. Can be set to ``'Lax'`` (recommended) or ``'Strict'``.
|
||||
``Lax`` prevents sending cookies with CSRF-prone requests from
|
||||
external sites, such as submitting a form. ``Strict`` prevents sending
|
||||
cookies with all external requests, including following regular links.
|
||||
|
||||
::
|
||||
|
||||
app.config.update(
|
||||
SESSION_COOKIE_SECURE=True,
|
||||
SESSION_COOKIE_HTTPONLY=True,
|
||||
SESSION_COOKIE_SAMESITE='Strict'
|
||||
SESSION_COOKIE_SAMESITE='Lax',
|
||||
)
|
||||
|
||||
response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Strict')
|
||||
response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Lax')
|
||||
|
||||
Specifying ``Expires`` or ``Max-Age`` options, will remove the cookie after
|
||||
the given time, or the current time plus the age, respectively. If neither
|
||||
|
|
@ -239,6 +244,9 @@ values (or any values that need secure signatures).
|
|||
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
|
||||
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
|
||||
|
||||
.. _samesite_support: https://caniuse.com/#feat=same-site-cookie-attribute
|
||||
|
||||
|
||||
HTTP Public Key Pinning (HPKP)
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue