#30732 closed Cleanup/optimization (fixed)
The default SameSite cookie flag breaks xframe_options_exempt
Reported by: | Dan Braghis | Owned by: | Jezeniel Zapanta |
---|---|---|---|
Component: | Documentation | Version: | 2.2 |
Severity: | Normal | Keywords: | CSRF, SameSite, Clickjacking |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
xframe_options_exempt
is broken with the default setting for CSRF_COOKIE_SAMESITE
and SESSION_COOKIE_SAMESITE
(i.e. Lax
) as of #27863.
Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
xframe_options_exempt
- load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it.
Change History (9)
comment:1 by , 5 years ago
Description: | modified (diff) |
---|
follow-up: 4 comment:2 by , 5 years ago
Component: | CSRF → Documentation |
---|---|
Easy pickings: | set |
Keywords: | CSRF SameSite Clickjacking added |
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Cleanup/optimization |
comment:4 by , 5 years ago
Replying to Carlton Gibson:
These topics are orthogonal, but, OK yes, often the reason to allow use in an iframe would be form submission.
As such, a note in
docs/ref/clickjacking.txt
cross-linking to theCSRF_COOKIE_SAMESITE
and/orSESSION_COOKIE_SAMESITE
docs would seem appropriate.
I have some questions regarding this, maybe this is somehow unrelated to the ticket but what if you just want to disable the CSRF_COOKIE_SAMESITE
to a certain view? If we modify CSRF_COOKIE_SAMESITE
it will be disabled globally, what if you want granular control over this? Will it be possibe?
comment:6 by , 5 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
These topics are orthogonal, but, OK yes, often the reason to allow use in an iframe would be form submission.
As such, a note in
docs/ref/clickjacking.txt
cross-linking to theCSRF_COOKIE_SAMESITE
and/orSESSION_COOKIE_SAMESITE
docs would seem appropriate.