Changes between Version 4 and Version 6 of Ticket #30250
- Timestamp:
- 03/13/2019 03:27:30 PM (2 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #30250
-
Property
Component
changed from
Uncategorized
toCore (Other)
- Property Easy pickings unset
-
Property
Triage Stage
changed from
Unreviewed
toSomeday/Maybe
-
Property
Component
changed from
-
Ticket #30250 – Description
v4 v6 12 12 13 13 I think both CSRF and Session cookies shouldn't have the SameSite flag because I've found many 403 Forbidden issues on both on Safari 12. If more steps to reproduce beyond the links above are necessary, please let me know. 14 15 --- 16 Update: 17 18 In fact, a much simpler flow is broken on Safari 12 with the default "Lax" settings. 19 If the user comes from a cross-site redirection (like a tracker link from an email provider), Safari doesn't send samesite=lax cookies on the request. This causes multiple issues: 20 1. User will not be logged in if `SESSION_COOKIE_SAMESITE = 'Lax'`. That behavior is only expected if `'Strict'`. 21 2. User will not be able to make AJAX POST requests if `CSRF_COOKIE_SAMESITE = 'Lax'`, because JS code won't be able to read the CSRF cookie. 22 3. POSTs on other open tabs/windows will fail if `CSRF_COOKIE_SAMESITE = 'Lax'`, because Safari triggered a CSRF cookie update after the first request without cookies. 23 24 Those issues do not happen on Chrome. 25 Full example here: https://github.com/vintasoftware/safari-samesite-cookie-issue