Documentation

The http.cookies.rst mentions this:

The attribute :attr:samesite specifies that the browser is not allowed to send the cookie along with cross-site requests. This helps to mitigate CSRF attacks. Valid values for this attribute are "Strict" and "Lax".

But the samesite spec now also allows "None" and the code already allows it.

>>> import http.cookies
>>> sk = http.cookies.SimpleCookie()
>>> sk['test'] = ''
>>> sk['test']['samesite'] = 'None'
>>> sk.output()
'Set-Cookie: test=""; SameSite=None'

Linked PRs

• gh-136992: Add 'None' as valid SameSite value as per RFC6265bis #137040
• [3.14] gh-136992: Add "None" as valid SameSite value as per RFC 6265bis (GH-137040) #137140
• [3.13] gh-136992: Add "None" as valid SameSite value as per RFC 6265bis (GH-137040) #137141