id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30250	Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default	Flávio Juvenal	nobody	"There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12 issue] that prevents common flows (sequences of requests) to work properly if there's `SameSite=lax` on cookies. This issue was [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel Bates, from Apple] and it's still open.

Examples of broken flows:
- OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
- Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-cookie-issue-with-safari-12/
- Validating an email: https://bugs.webkit.org/show_bug.cgi?id=188165#c40
- SAML flow: https://github.com/IronCountySchoolDistrict/django-python3-saml/issues/1

Since Safari 12 is the current stable version and it's widely deployed on iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most general solution and it's [https://github.com/aspnet/Announcements/issues/318 the one recommended by Microsoft to fix the similar issue on ASP.NET] (they didn't change the default, though).

Core developers, could you please let me know if you agree with that change, so I can make a PR updating the defaults and the documentation?

I think both CSRF and Session cookies shouldn't have the SameSite flag because I've found many 403 Forbidden issues on both on Safari 12. If more steps to reproduce beyond the links above are necessary, please let me know.

---
Update:

In fact, a much simpler flow is broken on Safari 12 with the default ""Lax"" settings.
If the user comes from a cross-site redirection (like a tracker link from an email provider), Safari doesn't send samesite=lax cookies on the request. This causes multiple issues:
1. User will not be logged in if `SESSION_COOKIE_SAMESITE = 'Lax'`. That behavior is only expected if `'Strict'`.
2. User will not be able to make AJAX POST requests if `CSRF_COOKIE_SAMESITE = 'Lax'`, because JS code won't be able to read the CSRF cookie.
3. POSTs on other open tabs/windows will fail if `CSRF_COOKIE_SAMESITE = 'Lax'`, because Safari triggered a CSRF cookie update after the first request without cookies.

Those issues do not happen on Chrome.
Full example here: https://github.com/vintasoftware/safari-samesite-cookie-issue"	Bug	closed	Core (Other)	2.1	Normal	duplicate	samesite,csrf,session,cookies	Maciej Olko	Someday/Maybe	0	0	0	0	0	0