Hi folks,
after upgrading to Django 2.1, we noticed many occurrences of 403 CSRF errors for Safari 12 users.
In simple terms, Safari 12 implementation of samesite=Lax cookies is wrong.
It causes issues in many common request flows, like the OpenIdConnect flow for
ASP.NET Core 2.1.
For Django, the issue might be considered even worse. If the user comes from a cross-site redirection (like a tracker link from an email provider), Safari doesn't send samesite=lax cookies on the request. This causes multiple issues. We've been able to identify those three, but maybe there are more:
- User will not be logged in if SESSION_COOKIE_SAMESITE = 'Lax'. That behavior is only expected if 'Strict', AFAIK.
- User will not be able to make AJAX POST requests if CSRF_COOKIE_SAMESITE = 'Lax', because JS code won't be able to read the CSRF cookie.
- POSTs on other open tabs/windows will fail if CSRF_COOKIE_SAMESITE = 'Lax', because Safari triggered a CSRF cookie update after the first request without cookies.
Those issues do not happen on Chrome, nor Firefox.
Since Safari 12 is the current stable version and it's widely deployed on iOS devices, I believe the Django default for CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE should be None, not Lax.
Upgrading to Django 2.1 caused this issue to us and frustrated many users. I think a more conservative default is necessary here to avoid breaking common use cases like visiting a web app page logged in after receiving a transactional or scheduled email.
Please let me know your thoughts, I can help with a PR if needed.