Changes between Version 4 and Version 6 of Ticket #30250


Ignore:
Timestamp:
03/13/2019 03:27:30 PM (2 years ago)
Author:
Flávio Juvenal
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #30250

    • Property Component changed from Uncategorized to Core (Other)
    • Property Easy pickings unset
    • Property Triage Stage changed from Unreviewed to Someday/Maybe

  • Ticket #30250 – Description

    v4 v6  
    1212
    1313I think both CSRF and Session cookies shouldn't have the SameSite flag because I've found many 403 Forbidden issues on both on Safari 12. If more steps to reproduce beyond the links above are necessary, please let me know.
     14
     15---
     16Update:
     17
     18In fact, a much simpler flow is broken on Safari 12 with the default "Lax" settings.
     19If the user comes from a cross-site redirection (like a tracker link from an email provider), Safari doesn't send samesite=lax cookies on the request. This causes multiple issues:
     201. User will not be logged in if `SESSION_COOKIE_SAMESITE = 'Lax'`. That behavior is only expected if `'Strict'`.
     212. User will not be able to make AJAX POST requests if `CSRF_COOKIE_SAMESITE = 'Lax'`, because JS code won't be able to read the CSRF cookie.
     223. POSTs on other open tabs/windows will fail if `CSRF_COOKIE_SAMESITE = 'Lax'`, because Safari triggered a CSRF cookie update after the first request without cookies.
     23
     24Those issues do not happen on Chrome.
     25Full example here: https://github.com/vintasoftware/safari-samesite-cookie-issue
Back to Top