Opened 5 years ago

Last modified 5 years ago

#30732 closed Cleanup/optimization

The default SameSite cookie flag breaks xframe_options_exempt — at Version 1

Reported by: Dan Braghis Owned by: nobody
Component: Documentation Version: 2.2
Severity: Normal Keywords: CSRF, SameSite, Clickjacking
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Dan Braghis)

xframe_options_exempt is broken with the default setting for CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE (i.e. Lax) as of #27863.

Our use case: an embeddable form started returning 403 when submitted after upgrading to 2.2

To reproduce:

  • create a simple form
  • show it on a page with a custom view, decorated with xframe_options_exempt
  • load the view in an iframe and try to submit.

At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a note about it.

Change History (1)

comment:1 by Dan Braghis, 5 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top