From be9e57032f95fe8a2d8403ca792345770cdaa8b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= Date: Tue, 20 Oct 2020 13:35:19 +0200 Subject: Document the same_site changes And explain that browsers may be more strict over TCP vs TLS. --- doc/src/manual/cow_cookie.asciidoc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/src/manual/cow_cookie.asciidoc b/doc/src/manual/cow_cookie.asciidoc index 257d01e..0bde0ed 100644 --- a/doc/src/manual/cow_cookie.asciidoc +++ b/doc/src/manual/cow_cookie.asciidoc @@ -29,7 +29,7 @@ cookie_attrs() :: #{ path => binary(), secure => true, http_only => true, - same_site => strict | lax + same_site => strict | lax | none } ---- @@ -48,7 +48,7 @@ cookie_opts() :: #{ http_only => boolean(), max_age => non_neg_integer(), path => binary(), - same_site => lax | strict, + same_site => strict | lax | none, secure => boolean() } ---- @@ -83,10 +83,14 @@ be sent to the current "directory" of the effective request URI. same_site:: Whether the cookie should be sent along with cross-site -requests. This header is currently non-standard but is in +requests. This attribute is currently non-standard but is in the process of being standardized. Please refer to the https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7[RFC 6265 (bis) draft] for details. ++ +The default value for this attribute may vary depending on +user agent and configuration. Browsers are known to be more +strict over TCP compared to TLS. secure:: @@ -97,6 +101,8 @@ transfer. By default there are no restrictions. == Changelog +* *2.10*: The `same_site` attribute and option may now be + set to `none`. * *2.9*: The `cookie_attrs` type was added. * *1.0*: Module introduced. -- cgit v1.2.3