As the author of 29975, I figured I'd weigh in here. I've set our site to use SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None and tested password reset links with and without click tracking (in additional to Gmail's tracking), and it certainly appears to fix the issue with Safari on macOS and iOS for me.
Weirdly, it appears that Gmail isn't inserting click tracking for the plain password reset link, but when I use my own URL shortener, I can also see the google.com <http://google.com/> redirect in play. It may just be dev tools behaving strangely, or perhaps Google have tried to avoid adding their tracker for password reset links. Who knows! > On 15 Mar 2019, at 14:38, Florian Apolloner <f.apollo...@gmail.com> wrote: > > Hi Flavio, > > On Friday, March 15, 2019 at 2:56:16 PM UTC+1, Flávio Junior wrote: > > shouldn't httponly yes/no control whether JS can read the data? > > Yes. But, on Django, the default is httponly false for CSRF cookie. > So even without httponly, Safari doesn't allow JS to read the CSRF cookie. > Safari also doesn't send the session cookie nor the CSRF cookie during the > request (if it comes from a cross-site source, like an email tracker > redirection). > > Oh sorry I was being unclear here. What I wanted to say/ask is whether you > had set httponly because I couldn't imagine the SameSite policy to affect > that. Thanks for clearing that up. > > > > I am wondering if this also results in > > https://code.djangoproject.com/ticket/29975 > > <https://www.google.com/url?q=https%3A%2F%2Fcode.djangoproject.com%2Fticket%2F29975&sa=D&sntz=1&usg=AFQjCNEkFAWxojtNdyt0yDj-iwN3fHzv9g> > > or if this is just a result of their tracking protection > > Yes, I think it's the same problem. I don't think this is a result of the > "Protection Against First Party Bounce Trackers" because the issue don't > happens if SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None, > which is the behavior of Django < 2.1. > This is an issue with Django 2.1 defaults + Safari 12 + cross-site > redirection. > That's why I suggested a change on defaults, or at least some clear warning. > > Interesting, it would certainly be nice if I/someone could verify this. If > setting the policy from lax to none also fixes the password reset issue, then > I am mostly in favor of a "warning" somewhere for now. I do not think that a > simple default change is a good idea in the long run. I'll mail you later for > credentials (If I don't find some lying around in the company). > > As for the beta versions, is it possibly that you would only update safari or > would you have to update your whole iOS/macOS? Ie could you test with > https://developer.apple.com/safari/technology-preview/ if the issue is gone > again on your mac? > > Cheers, > Florian > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers+unsubscr...@googlegroups.com>. > To post to this group, send email to django-developers@googlegroups.com > <mailto:django-developers@googlegroups.com>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/70770663-f56c-4c9c-b75b-961a1d6df964%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/70770663-f56c-4c9c-b75b-961a1d6df964%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/EED22A8B-A650-4979-8C86-A75E07648864%40gmail.com. For more options, visit https://groups.google.com/d/optout.
