[Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt
Django
-----------------------------------------+------------------------
Reporter: zerolab | Owner: nobody
Type: Uncategorized | Status: new
Component: CSRF | Version: 2.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
{{{xframe_options_exempt}}} is broken with the default setting for
{{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} as of #27863.
Our use case: an embeddable form started returning 403 when submitted
after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
{{{xframe_options_exempt}}}
- load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/
could do with a note about it.
--
Ticket URL: <https://code.djangoproject.com/ticket/30732>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: zerolab | Owner: nobody
Type: Uncategorized | Status: new
Component: CSRF | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by zerolab:
Old description:
> {{{xframe_options_exempt}}} is broken with the default setting for
> {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} as of
> #27863.
>
> Our use case: an embeddable form started returning 403 when submitted
> after upgrading to 2.2
>
> To reproduce:
> - create a simple form
> - show it on a page with a custom view, decorated with
> {{{xframe_options_exempt}}}
> - load the view in an iframe and try to submit.
>
> At the very least,
> https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a
> note about it.
New description:
{{{xframe_options_exempt}}} is broken with the default setting for
{{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} (i.e.
{{{Lax}}}) as of #27863.
Our use case: an embeddable form started returning 403 when submitted
after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
{{{xframe_options_exempt}}}
- load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/
could do with a note about it.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:1>
Django
Reporter: Dan Braghis | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 2.2
Severity: Normal | Resolution:
Keywords: CSRF, SameSite, | Triage Stage: Accepted
Clickjacking |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):
* keywords: => CSRF, SameSite, Clickjacking
* type: Uncategorized => Cleanup/optimization
* component: CSRF => Documentation
* easy: 0 => 1
* stage: Unreviewed => Accepted
Comment:
These topics are orthogonal, but, OK yes, often the reason to allow use in
an iframe would be form submission.
As such, a note in `docs/ref/clickjacking.txt` cross-linking to the
`CSRF_COOKIE_SAMESITE` and/or `SESSION_COOKIE_SAMESITE` docs would seem
appropriate.
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:2>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 2.2
Severity: Normal | Resolution:
Keywords: CSRF, SameSite, | Triage Stage: Accepted
Clickjacking |
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
* owner: nobody => Jezeniel Zapanta
* status: new => assigned
Comment:
Will handle this ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:3>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 2.2
Severity: Normal | Resolution:
Keywords: CSRF, SameSite, | Triage Stage: Accepted
Clickjacking |
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Comment (by Jezeniel Zapanta):
Replying to [comment:2 Carlton Gibson]:
> These topics are orthogonal, but, OK yes, often the reason to allow use
in an iframe would be form submission.
>
> As such, a note in `docs/ref/clickjacking.txt` cross-linking to the
`CSRF_COOKIE_SAMESITE` and/or `SESSION_COOKIE_SAMESITE` docs would seem
appropriate.
I have some questions regarding this, maybe this is somehow unrelated to
the ticket but what if you just want to disable the `CSRF_COOKIE_SAMESITE`
to a certain view? If we modify `CSRF_COOKIE_SAMESITE` it will be disabled
globally, what if you want granular control over this? Will it be possibe?
Will this also be possible?
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:4>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 2.2
Severity: Normal | Resolution:
Keywords: CSRF, SameSite, | Triage Stage: Accepted
Clickjacking |
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by Jezeniel Zapanta):
* has_patch: 0 => 1
Comment:
https://github.com/django/django/pull/11759
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:5>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 2.2
Severity: Normal | Resolution:
Clickjacking | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:6>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Component: Documentation | Version: 2.2
Severity: Normal | Resolution: fixed
Keywords: CSRF, SameSite, | Triage Stage: Ready for
Clickjacking | checkin
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"e8ad265ac882f8f118d2c4a7618bd3e3916fc13e" e8ad265a]:
{{{
#!CommitTicketReference repository=""
revision="e8ad265ac882f8f118d2c4a7618bd3e3916fc13e"
Fixed #30732 -- Doc'd that SameSite cookies flags can affect
xframe_options_exempt.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:7>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Cleanup/optimization | Status: closed
Component: Documentation | Version: 2.2
Severity: Normal | Resolution: fixed
Keywords: CSRF, SameSite, | Triage Stage: Ready for
Clickjacking | checkin
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"9510af35fce9de740f76f04cb5216c42daa1b9f3" 9510af35]:
{{{
#!CommitTicketReference repository=""
revision="9510af35fce9de740f76f04cb5216c42daa1b9f3"
[3.0.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect
xframe_options_exempt.
Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:8>
Django
Reporter: Dan Braghis | Owner: Jezeniel
Type: | Zapanta
Cleanup/optimization | Status: closed
Component: Documentation | Version: 2.2
Severity: Normal | Resolution: fixed
Keywords: CSRF, SameSite, | Triage Stage: Ready for
Clickjacking | checkin
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"62a4a5062fb12bebe87505f9ecd1484212d85795" 62a4a50]:
{{{
#!CommitTicketReference repository=""
revision="62a4a5062fb12bebe87505f9ecd1484212d85795"
[2.2.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect
xframe_options_exempt.
Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:9>