Hi Florian, thanks for your response. > So this is a Safari bug?
Yes. Lax doesn't work as intended in Safari 12. Bug was confirmed here: https://bugs.webkit.org/show_bug.cgi?id=188165#c37 (comment 37) Apple also says the newest beta versions of iOS/Mac should fix the issue: https://bugs.webkit.org/show_bug.cgi?id=188165#c43 (comment 43) I didn't test this yet. Current stable version is still broken, I've confirmed yesterday. > shouldn't httponly yes/no control whether JS can read the data? Yes. But, on Django, the default is httponly false for CSRF cookie. So even without httponly, Safari doesn't allow JS to read the CSRF cookie. Safari also doesn't send the session cookie nor the CSRF cookie during the request (if it comes from a cross-site source, like an email tracker redirection). You can reproduce with this Django code: https://github.com/vintasoftware/safari-samesite-cookie-issue > sadly I do not own a Mac If you wish, I can provide you a BrowserStack account, so you can test on Safari from your browser. Please reach me at flavio at vinta.com.br and I'll send you the credentials. > I am wondering if this also results in https://code.djangoproject.com/ticket/29975 <https://www.google.com/url?q=https%3A%2F%2Fcode.djangoproject.com%2Fticket%2F29975&sa=D&sntz=1&usg=AFQjCNEkFAWxojtNdyt0yDj-iwN3fHzv9g> or if this is just a result of their tracking protection Yes, I think it's the same problem. I don't think this is a result of the "Protection Against First Party Bounce Trackers" because the issue don't happens if SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None, which is the behavior of Django < 2.1. This is an issue with Django 2.1 defaults + Safari 12 + cross-site redirection. That's why I suggested a change on defaults, or at least some clear warning. Happy to answer more questions or to help any core developer to reproduce the issue. Cheers, Flávio. On Friday, March 15, 2019 at 7:09:51 AM UTC-3, Florian Apolloner wrote: > > I am wondering if this also results in > https://code.djangoproject.com/ticket/29975 > <https://www.google.com/url?q=https%3A%2F%2Fcode.djangoproject.com%2Fticket%2F29975&sa=D&sntz=1&usg=AFQjCNEkFAWxojtNdyt0yDj-iwN3fHzv9g> > > or if this is just a result of their tracking protection. All in all it > would be great to know what Safari actually does… (sadly I do not own a Mac > :/) I'll dig through #30250 soon. > > > - User will not be logged in if SESSION_COOKIE_SAMESITE = 'Lax'. That > behavior is only expected if 'Strict', AFAIK. > > So this is a Safari bug? > > > - User will not be able to make AJAX POST requests if > CSRF_COOKIE_SAMESITE = 'Lax', because JS code won't be able to read the > CSRF cookie. > > I have to reread the specs, but shouldn't httponly yes/no control whether > JS can read the data? > > Cheers, > Florian > > On Wednesday, March 13, 2019 at 9:48:07 PM UTC+1, Flávio Junior wrote: >> >> Hi folks, >> after upgrading to Django 2.1, we noticed many occurrences of 403 CSRF >> errors for Safari 12 users. >> After days debugging the problem, we've pinpointed the issue to the >> Webkit Bug 188165: https://bugs.webkit.org/show_bug.cgi?id=188165 >> >> In simple terms, Safari 12 implementation of samesite=Lax cookies is >> wrong. >> It causes issues in many common request flows, like the OpenIdConnect >> flow for ASP.NET Core 2.1. >> >> For Django, the issue might be considered even worse. If the user comes >> from a cross-site redirection (like a tracker link from an email provider), >> Safari doesn't send samesite=lax cookies on the request. This causes >> multiple issues. We've been able to identify those three, but maybe there >> are more: >> - User will not be logged in if SESSION_COOKIE_SAMESITE = 'Lax'. That >> behavior is only expected if 'Strict', AFAIK. >> - User will not be able to make AJAX POST requests if >> CSRF_COOKIE_SAMESITE = 'Lax', because JS code won't be able to read the >> CSRF cookie. >> - POSTs on other open tabs/windows will fail if CSRF_COOKIE_SAMESITE = >> 'Lax', because Safari triggered a CSRF cookie update after the first >> request without cookies. >> >> Those issues do not happen on Chrome, nor Firefox. >> Full Django project example of the problem above is available here: >> https://github.com/vintasoftware/safari-samesite-cookie-issue >> >> Since Safari 12 is the current stable version and it's widely deployed on >> iOS devices, I believe the Django default for CSRF_COOKIE_SAMESITE and >> SESSION_COOKIE_SAMESITE should be None, not Lax. >> >> Upgrading to Django 2.1 caused this issue to us and frustrated many >> users. I think a more conservative default is necessary here to avoid >> breaking common use cases like visiting a web app page logged in after >> receiving a transactional or scheduled email. >> If you do not wish to change the defaults, IMHO at least a warning should >> be placed on the documentation. For comparison, Microsoft issued a security >> advisory describing the bug on ASP.NET: >> https://github.com/aspnet/Announcements/issues/318 >> Please let me know your thoughts, I can help with a PR if needed. >> >> Related Django ticket: https://code.djangoproject.com/ticket/30250 >> > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8e3d6063-5855-4eae-a051-fa3cb9cecf6c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
