#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-------------------------------------+-------------------------------------
Reporter: Flávio Juvenal | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
samesite,csrf,session,cookies | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Flávio Juvenal:
Old description:
> There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
> issue] that prevents common flows (sequences of requests) to work
> properly if there's `SameSite=lax` on cookies. This issue was
> [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
> Bates, from Apple] and it's still open.
>
> Examples of broken flows:
> - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
> asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
> - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
> cookie-issue-with-safari-12/
> - Clicking a link on an email:
> https://bugs.webkit.org/show_bug.cgi?id=188165#c40
> - SAML flow: https://github.com/IronCountySchoolDistrict/django-
> python3-saml/issues/1
>
> Since Safari 12 is the current stable version and it's widely deployed on
> iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
> `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
> general solution and it's
> [https://github.com/aspnet/Announcements/issues/318 the one recommended
> by Microsoft to fix the similar issue on ASP.NET].
>
> Core developers, could you please let me know if you agree with that
> change, so I can make a PR updating the defaults and the documentation?
>
> I think both CSRF and Session cookies shouldn't have the SameSite flag
> because I've found many 403 Forbidden issues on both on Safari 12. If
> more steps to reproduce beyond the links above are necessary, please let
> me know.
New description:
There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
issue] that prevents common flows (sequences of requests) to work properly
if there's `SameSite=lax` on cookies. This issue was
[https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
Bates, from Apple] and it's still open.
Examples of broken flows:
- OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
- Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
cookie-issue-with-safari-12/
- Clicking a link on an email:
https://bugs.webkit.org/show_bug.cgi?id=188165#c40
- SAML flow: https://github.com/IronCountySchoolDistrict/django-
python3-saml/issues/1
Since Safari 12 is the current stable version and it's widely deployed on
iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
`SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
general solution and it's
[https://github.com/aspnet/Announcements/issues/318 the one recommended by
Microsoft to fix the similar issue on ASP.NET] (they didn't change the
default, though).
Core developers, could you please let me know if you agree with that
change, so I can make a PR updating the defaults and the documentation?
I think both CSRF and Session cookies shouldn't have the SameSite flag
because I've found many 403 Forbidden issues on both on Safari 12. If more
steps to reproduce beyond the links above are necessary, please let me
know.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30250#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/062.17ce5e6f39c4277530822baf5984fff2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
