id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30732	The default SameSite cookie flag breaks xframe_options_exempt	Dan Braghis	Jezeniel Zapanta	"{{{xframe_options_exempt}}} is broken with the default setting for {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} (i.e. {{{Lax}}}) as of #27863.

Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2

To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with {{{xframe_options_exempt}}}
- load the view in an iframe and try to submit.

At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it."	Cleanup/optimization	closed	Documentation	2.2	Normal	fixed	CSRF, SameSite, Clickjacking		Ready for checkin	1	0	0	0	1	0