Fix #1417: Set sameSite=Lax by default

matthiask · matthiask · commit 3f6def6891d9 · 2020-12-22T09:46:24.000+01:00
diff --git a/debug_toolbar/static/debug_toolbar/js/toolbar.js b/debug_toolbar/static/debug_toolbar/js/toolbar.js
@@ -270,6 +270,9 @@ const djdt = {
                 options.path ? "; path=" + options.path : "",
                 options.domain ? "; domain=" + options.domain : "",
                 options.secure ? "; secure" : "",
+                "sameSite" in options
+                    ? "; sameSite=" + options.samesite
+                    : "; sameSite=Lax",
             ].join("");
 
             return value;
diff --git a/docs/changes.rst b/docs/changes.rst
@@ -1,6 +1,13 @@
 Change log
 ==========
 
+Next version
+------------
+
+* Changed ``djdt.cookie.set()`` to set ``sameSite=Lax`` by default if
+  callers do not provide a value.
+
+
 3.2 (2020-12-03)
 ----------------
 
