id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30732	The default SameSite cookie flag breaks xframe_options_exempt	Dan Braghis	nobody	"{{{xframe_options_exempt}}} is broken with the default setting for {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} (i.e. {{{Lax}}}) as of #27863.

Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2

To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with {{{xframe_options_exempt}}}
- load the view in an iframe and try to submit.

At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it."	Uncategorized	new	CSRF	2.2	Normal				Unreviewed	0	0	0	0	0	0