Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#30732 closed Cleanup/optimization (fixed)

The default SameSite cookie flag breaks xframe_options_exempt

Reported by: Dan Braghis Owned by: Jezeniel Zapanta
Component: Documentation Version: 2.2
Severity: Normal Keywords: CSRF, SameSite, Clickjacking
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Dan Braghis)

xframe_options_exempt is broken with the default setting for CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE (i.e. Lax) as of #27863.

Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2

To reproduce:

  • create a simple form
  • show it on a page with a custom view, decorated with xframe_options_exempt
  • load the view in an iframe and try to submit.

At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it.

Change History (9)

comment:1 by Dan Braghis, 5 years ago

Description: modified (diff)

comment:2 by Carlton Gibson, 5 years ago

Component: CSRFDocumentation
Easy pickings: set
Keywords: CSRF SameSite Clickjacking added
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

These topics are orthogonal, but, OK yes, often the reason to allow use in an iframe would be form submission.

As such, a note in docs/ref/clickjacking.txt cross-linking to the CSRF_COOKIE_SAMESITE and/or SESSION_COOKIE_SAMESITE docs would seem appropriate.

comment:3 by Jezeniel Zapanta, 5 years ago

Owner: changed from nobody to Jezeniel Zapanta
Status: newassigned

Will handle this ticket.

in reply to:  2 comment:4 by Jezeniel Zapanta, 5 years ago

Replying to Carlton Gibson:

These topics are orthogonal, but, OK yes, often the reason to allow use in an iframe would be form submission.

As such, a note in docs/ref/clickjacking.txt cross-linking to the CSRF_COOKIE_SAMESITE and/or SESSION_COOKIE_SAMESITE docs would seem appropriate.

I have some questions regarding this, maybe this is somehow unrelated to the ticket but what if you just want to disable the CSRF_COOKIE_SAMESITE to a certain view? If we modify CSRF_COOKIE_SAMESITE it will be disabled globally, what if you want granular control over this? Will it be possibe?

Last edited 5 years ago by Jezeniel Zapanta (previous) (diff)

comment:5 by Jezeniel Zapanta, 5 years ago

Has patch: set
Version 0, edited 5 years ago by Jezeniel Zapanta (next)

comment:6 by Mariusz Felisiak, 5 years ago

Triage Stage: AcceptedReady for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In e8ad265a:

Fixed #30732 -- Doc'd that SameSite cookies flags can affect xframe_options_exempt.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

In 9510af35:

[3.0.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect xframe_options_exempt.

Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master

comment:9 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

In 62a4a50:

[2.2.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect xframe_options_exempt.

Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master

Note: See TracTickets for help on using tickets.
Back to Top