Allow Setting Pinning Cookie Attributes #53
Conversation
|
Hey @jbalogh, hope you are well! I just wanted to check to see if this change is something you would consider accepting at some point. (Full disclosure, @dchukhin is on my team at Caktus). We're happy to help in any way with merge and/or release. Thanks as always for the numerous Django packages we seem to find handy! 🙂 |
|
Hey, I'm not @jbalogh but I can review that, sorry for not catching it earlier. |
|
Also: if you rebase/merge with |
…s' into allow-setting-cookie-attributes
Add test for pinning cookie httponly, samesite, secure attributes
|
Hi @diox , I think these changes are what you were looking for. GitHub says you need to manually approve running CI on this PR because it's from a first-time contributor to this repository. Cheers! |
|
0.10 has been released with this change. |
This pull request allows users to set the pinning cookie's 'Secure', 'HttpOnly', and 'SameSite' attributes by using settings, which are based on Django's
CSRF_COOKIE_SECURE,CSRF_COOKIE_HTTPONLY, andCSRF_COOKIE_SAMESITEsettings.The defaults for these settings keep the current behavior: not Secure, not HttpOnly, and 'Lax' SameSite (currently, the SameSite attribute is unset, which should default to 'Lax' in browsers).
A part of this work also changes the
PINNING_COOKIEandPINNING_SECONDSinmultidb/middleware.pyto be functions, so they can be tested more easily.