The original blog post you posted seems to answer this question. Further it states "It's going to be a long time until we can consider removing traditional anti-CSRF mechanisms but adding SameSite on top of those gives us an incredibly robust defence." Like most things in security, I think this is an "in addition to" instead of "in place of." At least until all browsers support it (and that can be guaranteed by some mechanism).
For me personally the cost of keeping/adding them in is really low since Django handles the recordkeeping and validation. However, if you have a specific use case where a) you can guarantee everyone is using a compatible browser and b) CSRF tokens are difficult to implement for some reason, I think it's relatively reasonable to drop requiring them. This is also assuming that your site doesn't do anything that makes it a high value target for attackers (such as financial transactions, etc.). If any of these are not true, I would personally leave the protections in place. On Tue, Apr 21, 2020 at 1:19 PM guettli <guettli.goo...@thomas-guettler.de> wrote: > > > Am Sonntag, 19. April 2020 23:11:59 UTC+2 schrieb Alex Heyden: >> >> Django supports samesite on session cookies now, and it's on (set to lax) >> by default. Whether or not that completely covers your surface risk to CSRF >> attacks is a somewhat different question. >> >> > AFAIK they can not happen. But I am not an expert in this area. > Does somebody know if CSRF attacks can happen with SameSite=Lax cookies? > >> >>> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/84e032ab-f78b-41f8-879f-38e623269910%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/84e032ab-f78b-41f8-879f-38e623269910%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAGABHYCkQ4xjO53%2BTnaNJPTfhK7AwXwviinpd7-CwgQQh5Egug%40mail.gmail.com.
