Merge pull request rails#44934 from soartec-lab/add-api-doc-for-sames…

…ite-of-cookie Add API doc for the `same_site` option of the `cookie` [ci-skip]
ushi-as · Apr 24, 2022 · 29daa0b · 29daa0b
2 parents ef05f2e + 77e3608
commit 29daa0b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -176,6 +176,10 @@ def use_cookies_with_metadata
   #   Default is +false+.
   # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
   #   only HTTP. Defaults to +false+.
+  # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
+  #   determines how this cookie should be restricted in cross-site contexts.
+  #   Possible values are +nil+, +:none+, +:lax+, and +:strict+. Defaults to
+  #   +:lax+.
   class Cookies
     HTTP_HEADER   = "Set-Cookie"
     GENERATOR_KEY = "action_dispatch.key_generator"

diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -44,8 +44,8 @@ module Session
     #   Rails.application.config.session_store :cookie_store, expire_after: 14.days
     #
     # would set the session cookie to expire automatically 14 days after creation.
-    # Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
-    # <tt>:httponly</tt>.
+    # Other useful options include <tt>:key</tt>, <tt>:secure</tt>,
+    # <tt>:httponly</tt>, and <tt>:same_site</tt>.
     class CookieStore < AbstractSecureStore
       class SessionId < DelegateClass(Rack::Session::SessionId)
         attr_reader :cookie_value