diff --git a/docs/user/advertising/ad-blocking.rst b/docs/user/advertising/ad-blocking.rst index f54ab332ae8..2722b7bd446 100644 --- a/docs/user/advertising/ad-blocking.rst +++ b/docs/user/advertising/ad-blocking.rst @@ -62,7 +62,7 @@ Thank you for supporting Read the Docs. `Supporters `_ were provided an ad-free reading experience across all projects on Read the Docs while logged-in. However, the cross-site cookies needed to make that work are no longer supported by major browsers outside of Chrome, - and this feature will soon disappear entirely. + and this feature has been removed. Statistics and data diff --git a/docs/user/api/cross-site-requests.rst b/docs/user/api/cross-site-requests.rst index 2e1d38a1ed0..60827ef70c8 100644 --- a/docs/user/api/cross-site-requests.rst +++ b/docs/user/api/cross-site-requests.rst @@ -22,15 +22,13 @@ We implement it such way that it strictly match the intention of the API endpoin Cookies ------- -On |org_brand|, our session cookies have the ``SameSite`` attribute set to ``None``, -this means they can be sent in cross site requests. -This is needed for our sustainability API only, -to not show ads if the current user is a :ref:`Gold User `. +On |org_brand|, our session cookies have the ``SameSite`` attribute set to ``Lax``, +This means that browsers will not include them in cross site requests. All resources in |org_brand| are public, you don't need to pass cookies to make use of our allowed APIs from other sites. -On |com_brand|, our session cookies have the ``SameSite`` attribute set to ``Lax``. -This means that browsers will not include them in cross site requests. +On |com_brand|, our session cookies have the ``SameSite`` attribute set to ``Lax``, +this means that browsers will not include them in cross site requests. If you need to have access to versions that the current user has permissions over, you can make use of our proxied APIs, they can be accessed from docs domains with the `/_/` prefix. For example, you can make use of our search API from `/_/api/v2/search/`. diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py index 9826a1c5afb..de5b7723ef7 100644 --- a/readthedocs/settings/base.py +++ b/readthedocs/settings/base.py @@ -104,16 +104,7 @@ def SHOW_DEBUG_TOOLBAR(self): SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_AGE = 30 * 24 * 60 * 60 # 30 days SESSION_SAVE_EVERY_REQUEST = False - - @property - def SESSION_COOKIE_SAMESITE(self): - """ - Cookie used in cross-origin API requests from *.rtd.io to rtd.org/api/v2/sustainability/. - """ - if self.USE_PROMOS: - return "None" - # This is django's default. - return "Lax" + SESSION_COOKIE_SAMESITE = "Lax" # CSRF CSRF_COOKIE_HTTPONLY = True @@ -723,17 +714,12 @@ def SOCIALACCOUNT_PROVIDERS(self): # CORS # Don't allow sending cookies in cross-domain requests, this is so we can # relax our CORS headers for more views, but at the same time not opening - # users to CSRF attacks. The sustainability API is the only view that requires - # cookies to be send cross-site, we override that for that view only. + # users to CSRF attacks. CORS_ALLOW_CREDENTIALS = False # Allow cross-site requests from any origin, # all information from our allowed endpoits is public. - # - # NOTE: We don't use `CORS_ALLOW_ALL_ORIGINS=True`, - # since that will set the `Access-Control-Allow-Origin` header to `*`, - # we won't be able to pass credentials fo the sustainability API with that value. - CORS_ALLOWED_ORIGIN_REGEXES = [re.compile(".+")] + CORS_ALLOW_ALL_ORIGINS = True CORS_ALLOW_HEADERS = list(default_headers) + [ "x-hoverxref-version", ]