Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#31635 closed New feature (wontfix)

SameSite cookie except on a URL

Reported by: James Pic Owned by: nobody
Component: HTTP handling Version: 3.0
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by James Pic)

Currently, the SameSite cookie option can be enabled globally, which is great for a lot of use case.

If you have a form that's embedded via an iframe, which requires both session and csrf cookies to be sent on POST, then SameSite needs to be disabled.

The best would be to keep SameSite option on CSRF and Session cookies for the admin and the rest of the site, except for a particular set of views.

This is currently possible by adding a new middleware that will delete the samesite key on the response cookies, I suppose it's fine if that API is going to be supported on the long term, otherwise we should find a public API allowing Django projects to benefit from SameSite in views such as the Admin while having it disabled on other views, like with @xframe_options_exempt

Change History (3)

comment:1 by James Pic, 5 years ago

Description: modified (diff)

comment:2 by Carlton Gibson, 5 years ago

Resolution: wontfix
Status: newclosed

I think a middleware is precisely the route to go here. Explicitly set a list of URLS for which the lax setting will apply.

Yes, we could add a decorator but it's a lot of extra surface area where the middleware solution is so neat.

comment:3 by Adam Johnson, 5 years ago

Disabling setting the samesite flag for such cookies on "just a few URL's" is effectively the same as disabling the flag everywhere. The flag is only sent with Set-Cookie, so the cookie will persist as not-samesite for all future requests.

Note: See TracTickets for help on using tickets.
Back to Top