Hi Flavio, On Friday, March 15, 2019 at 2:56:16 PM UTC+1, Flávio Junior wrote: > > > shouldn't httponly yes/no control whether JS can read the data? > > Yes. But, on Django, the default is httponly false for CSRF cookie. > So even without httponly, Safari doesn't allow JS to read the CSRF cookie. > Safari also doesn't send the session cookie nor the CSRF cookie during the > request (if it comes from a cross-site source, like an email tracker > redirection). >
Oh sorry I was being unclear here. What I wanted to say/ask is whether you had set httponly because I couldn't imagine the SameSite policy to affect that. Thanks for clearing that up. > > I am wondering if this also results in > https://code.djangoproject.com/ticket/29975 > <https://www.google.com/url?q=https%3A%2F%2Fcode.djangoproject.com%2Fticket%2F29975&sa=D&sntz=1&usg=AFQjCNEkFAWxojtNdyt0yDj-iwN3fHzv9g> > or > if this is just a result of their tracking protection > > Yes, I think it's the same problem. I don't think this is a result of the > "Protection Against First Party Bounce Trackers" because the issue don't > happens if SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None, > which is the behavior of Django < 2.1. > This is an issue with Django 2.1 defaults + Safari 12 + cross-site > redirection. > That's why I suggested a change on defaults, or at least some clear > warning. > Interesting, it would certainly be nice if I/someone could verify this. If setting the policy from lax to none also fixes the password reset issue, then I am mostly in favor of a "warning" somewhere for now. I do not think that a simple default change is a good idea in the long run. I'll mail you later for credentials (If I don't find some lying around in the company). As for the beta versions, is it possibly that you would only update safari or would you have to update your whole iOS/macOS? Ie could you test with https://developer.apple.com/safari/technology-preview/ if the issue is gone again on your mac? Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/70770663-f56c-4c9c-b75b-961a1d6df964%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
