Context Navigation

← Previous Ticket
Next Ticket →

#30732 closed Cleanup/optimization (fixed)

The default SameSite cookie flag breaks xframe_options_exempt

Reported by:	Dan Braghis	Owned by:	Jezeniel Zapanta
Component:	Documentation	Version:	2.2
Severity:	Normal	Keywords:	CSRF, SameSite, Clickjacking
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	yes	UI/UX:	no

Description (last modified by Dan Braghis)

xframe_options_exempt is broken with the default setting for CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE (i.e. Lax) as of #27863.

Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2

To reproduce:

create a simple form
show it on a page with a custom view, decorated with xframe_options_exempt
load the view in an iframe and try to submit.

At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it.

Change History (9)

comment:1 by Dan Braghis, 5 years ago

Description:	modified (diff)

follow-up: 4 comment:2 by Carlton Gibson, 5 years ago

Component:	CSRF → Documentation
Easy pickings:	set
Keywords:	CSRF SameSite Clickjacking added
Triage Stage:	Unreviewed → Accepted
Type:	Uncategorized → Cleanup/optimization

These topics are orthogonal, but, OK yes, often the reason to allow use in an iframe would be form submission.

As such, a note in docs/ref/clickjacking.txt cross-linking to the CSRF_COOKIE_SAMESITE and/or SESSION_COOKIE_SAMESITE docs would seem appropriate.

comment:3 by Jezeniel Zapanta, 5 years ago

Owner:	changed from nobody to Jezeniel Zapanta
Status:	new → assigned

Will handle this ticket.

in reply to: 2 comment:4 by Jezeniel Zapanta, 5 years ago

Replying to Carlton Gibson:

These topics are orthogonal, but, OK yes, often the reason to allow use in an iframe would be form submission.

As such, a note in docs/ref/clickjacking.txt cross-linking to the CSRF_COOKIE_SAMESITE and/or SESSION_COOKIE_SAMESITE docs would seem appropriate.

I have some questions regarding this, maybe this is somehow unrelated to the ticket but what if you just want to disable the CSRF_COOKIE_SAMESITE to a certain view? If we modify CSRF_COOKIE_SAMESITE it will be disabled globally, what if you want granular control over this? Will it be possibe?

Last edited 5 years ago by Jezeniel Zapanta (previous) (diff)

comment:5 by Jezeniel Zapanta, 5 years ago

Has patch:	set

Last edited 5 years ago by Mariusz Felisiak (previous) (diff)

comment:6 by Mariusz Felisiak, 5 years ago

Triage Stage:	Accepted → Ready for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Resolution:	→ fixed
Status:	assigned → closed

In e8ad265a:

Fixed #30732 -- Doc'd that SameSite cookies flags can affect xframe_options_exempt.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

In 9510af35:

[3.0.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect xframe_options_exempt.

Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master

comment:9 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

In 62a4a50:

[2.2.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect xframe_options_exempt.

Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues