On Monday, April 17, 2023 at 8:45:16 AM UTC+2 Curtis Maloney wrote: Are you implying that all CSRF attacks protected by Django's current machinery are entirely mitigated by SameSite=Lax on the _session_ cookiue?
Yes. Therefore imho, the CSRF protection is just some nasty legacy, developers have to fiddle with. It doesn't add any security benefit anymore. That said, maybe there is still a possible attack vector on cross site request forgeries, but I was unable to exploit them with disabled CSRF protection. Therefore it would be great, if someone with more hacking experience than myself, could try this. – Jacob -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com.
