Hey Mat, thanks for the input. Good to know SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None solved the issue 29975. Do you want to post there this solution? I can do it to. I've updated safari-samesite-cookie-issue <https://github.com/vintasoftware/safari-samesite-cookie-issue> to better reproduce the session issue too.
Florian, I didn't know about Safari Technology Preview, thanks! Installed it in my Mac Mojave 10.14.3. Tested again my safari-samesite-cookie-issue project. Issue seems solved. My Safari is "Release 77 (Safari 12.2, WebKit 14608.1.7.3)". Good to know it's a matter of time until this issue is solved in the wild. But I still think it's a serious problem: it caused us a major disruption in production because our transactions are very email-based, and therefore rely on third-party redirects. What are the next steps? A warning at the docs for these settings? Happy to help if necessary. On Monday, March 18, 2019 at 2:38:13 PM UTC-3, Mat Gadd wrote: > > You're correct that is how they rewrite the URLs, but I did know that and > expect that to be the case. > > > On 18 Mar 2019, at 17:35, René Fleschenberg <re...@fleschenberg.net > <javascript:>> wrote: > > > > Hi. > > > > On 3/18/19 12:26 PM, Mat Gadd wrote: > >> Weirdly, it appears that Gmail isn't inserting click tracking for the > >> plain password reset link, but when I use my own URL shortener, I can > >> also see the google.com <http://google.com> redirect in play. It may > >> just be dev tools behaving strangely, or perhaps Google have tried to > >> avoid adding their tracker for password reset links. Who knows! > > > > I did not take the time to analyze this as thoroughly as I should have, > > but from a cursory look, it seemed to me that Gmail rewrites the links > > using Javascript, and only when you click on them. Could that explain > > why your observations? > > > > -- > > René > > > > -- > > You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to django-develop...@googlegroups.com <javascript:>. > > To post to this group, send email to django-d...@googlegroups.com > <javascript:>. > > Visit this group at https://groups.google.com/group/django-developers. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/0e45692d-1974-25ff-c938-f4770f8ee786%40fleschenberg.net. > > > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/76e3cf08-2c4c-4690-84e7-38eed0abb773%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
