Opened 5 years ago
Last modified 5 years ago
#30732 closed Cleanup/optimization
The default SameSite cookie flag breaks xframe_options_exempt — at Version 1
| Reported by: | Dan Braghis | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 2.2 |
| Severity: | Normal | Keywords: | CSRF, SameSite, Clickjacking |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
xframe_options_exempt is broken with the default setting for CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE (i.e. Lax) as of #27863.
Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
xframe_options_exempt - load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it.
Note:
See TracTickets
for help on using tickets.