Opened 5 years ago
Last modified 5 years ago
#30732 closed Cleanup/optimization
The default SameSite cookie flag breaks xframe_options_exempt — at Version 1
Reported by: | Dan Braghis | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 2.2 |
Severity: | Normal | Keywords: | CSRF, SameSite, Clickjacking |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
xframe_options_exempt
is broken with the default setting for CSRF_COOKIE_SAMESITE
and SESSION_COOKIE_SAMESITE
(i.e. Lax
) as of #27863.
Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
xframe_options_exempt
- load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it.
Note:
See TracTickets
for help on using tickets.