On Tuesday, April 18, 2023 at 8:34:14 AM UTC-5 Stratos Moros wrote:
[...] In my experience there are legitimate cases for setting SameSite=None, especially concerning iframes. Specifically, when developing a web app intended to be embedded as an iframe by a different top-level origin, you can't really use cookies unless their SameSite attribute is None. This is the case even if you manage the cookies entirely inside the iframe and its origin. In my experience, even SameSite None is not sufficient to use cookies in cross-site iframes. Safari doesn't allow those cookies to be sent unless you visit the site directly first. I've heard movements for Firefox and/or Chrome having similar behavior, but I haven't been working with iframes recently enough to know the current state of that. In such cases, you really do need Django's current CSRF protection. Personally I wouldn't mind it being off by default, since SameSite=Lax seems to be enough for most cases, but this could be a footgun for some people. There certainly are legitimate use-cases. I like Jacob's following suggestion for a check that might help alleviate a misconfiguration concern, if they did change SameSite to none without activating CSRF protection. If it were possible to identify other places where there might be a sharp-edge misconfiguration because of the cross-domain difference of meaning between samesite and what CSRF needs, that could be good as well. And those checks would, I think, be worthwhile even without changing the default, since they are currently possible configurations. I think what we want to weigh is whether the footgun of *not* having CSRF by default is bigger than the significant complexity overhead of managing the CSRF projection in a new project. It's marking all views, adding tags to all form templates, and I think it can be easy to underestimate the attention it requires. If we can eliminate this overhead, especially for beginners starting out with Django and web development, that sounds like a great benefit. Lowering the barrier to entry is worth a lot. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/553aea07-90de-41ce-a71c-6529ebc97eb3n%40googlegroups.com.
