Our use case: an embeddable form started returning 403 when submitted
after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
{{{xframe_options_exempt}}}
- load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/
could do with a note about it.
--
Ticket URL: <https://code.djangoproject.com/ticket/30732>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Old description:
> {{{xframe_options_exempt}}} is broken with the default setting for
> {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} as of
> #27863.
>
> Our use case: an embeddable form started returning 403 when submitted
> after upgrading to 2.2
>
> To reproduce:
> - create a simple form
> - show it on a page with a custom view, decorated with
> {{{xframe_options_exempt}}}
> - load the view in an iframe and try to submit.
>
> At the very least,
> https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a
> note about it.
New description:
{{{xframe_options_exempt}}} is broken with the default setting for
{{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} (i.e.
{{{Lax}}}) as of #27863.
Our use case: an embeddable form started returning 403 when submitted
after upgrading to 2.2
To reproduce:
- create a simple form
- show it on a page with a custom view, decorated with
{{{xframe_options_exempt}}}
- load the view in an iframe and try to submit.
At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/
could do with a note about it.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:1>
* keywords: => CSRF, SameSite, Clickjacking
* type: Uncategorized => Cleanup/optimization
* component: CSRF => Documentation
* easy: 0 => 1
* stage: Unreviewed => Accepted
Comment:
These topics are orthogonal, but, OK yes, often the reason to allow use in
an iframe would be form submission.
As such, a note in `docs/ref/clickjacking.txt` cross-linking to the
`CSRF_COOKIE_SAMESITE` and/or `SESSION_COOKIE_SAMESITE` docs would seem
appropriate.
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:2>
* owner: nobody => Jezeniel Zapanta
* status: new => assigned
Comment:
Will handle this ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:3>
Comment (by Jezeniel Zapanta):
Replying to [comment:2 Carlton Gibson]:
> These topics are orthogonal, but, OK yes, often the reason to allow use
in an iframe would be form submission.
>
> As such, a note in `docs/ref/clickjacking.txt` cross-linking to the
`CSRF_COOKIE_SAMESITE` and/or `SESSION_COOKIE_SAMESITE` docs would seem
appropriate.
I have some questions regarding this, maybe this is somehow unrelated to
the ticket but what if you just want to disable the `CSRF_COOKIE_SAMESITE`
to a certain view? If we modify `CSRF_COOKIE_SAMESITE` it will be disabled
globally, what if you want granular control over this? Will it be possibe?
Will this also be possible?
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:4>
* has_patch: 0 => 1
Comment:
https://github.com/django/django/pull/11759
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:5>
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:6>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"e8ad265ac882f8f118d2c4a7618bd3e3916fc13e" e8ad265a]:
{{{
#!CommitTicketReference repository=""
revision="e8ad265ac882f8f118d2c4a7618bd3e3916fc13e"
Fixed #30732 -- Doc'd that SameSite cookies flags can affect
xframe_options_exempt.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:7>
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"9510af35fce9de740f76f04cb5216c42daa1b9f3" 9510af35]:
{{{
#!CommitTicketReference repository=""
revision="9510af35fce9de740f76f04cb5216c42daa1b9f3"
[3.0.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect
xframe_options_exempt.
Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:8>
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"62a4a5062fb12bebe87505f9ecd1484212d85795" 62a4a50]:
{{{
#!CommitTicketReference repository=""
revision="62a4a5062fb12bebe87505f9ecd1484212d85795"
[2.2.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect
xframe_options_exempt.
Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:9>