`http.cookies` should mention that `samesite=None` is valid as per RFC6265bis

[schlenk]

Documentation

The http.cookies.rst mentions this:

The attribute :attr:samesite specifies that the browser is not allowed to send the cookie along with cross-site requests. This helps to mitigate CSRF attacks. Valid values for this attribute are "Strict" and "Lax".

But the samesite spec now also allows "None" and the code already allows it.

>>> import http.cookies
>>> sk = http.cookies.SimpleCookie()
>>> sk['test'] = ''
>>> sk['test']['samesite'] = 'None'
>>> sk.output()
'Set-Cookie: test=""; SameSite=None'

Linked PRs

• gh-136992: Add 'None' as valid SameSite value as per RFC6265bis #137040
• [3.14] gh-136992: Add "None" as valid SameSite value as per RFC 6265bis (GH-137040) #137140
• [3.13] gh-136992: Add "None" as valid SameSite value as per RFC 6265bis (GH-137040) #137141

[picnixz]

FTR this is defined in https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-4.1.1-2. However, note that RFC6265bis is not part of a standard track yet as it's still a draft. The SameSite attribute itself is, AFAIK, only defined there so we should be careful about this. Until the RFC is accepted I don't think we should actually change the docs.

OTOH, whatever is put inside the "samesite" attribute is actually stored (we don't have anything that checks the value). So we could also just improve the docs as I think the draft is likely to be accepted.

[picnixz]

Since Python 3.14 is in RC phase, I will hold the backport for 3.13 and 3.14 until then. Please keep the issue open.