#34613: add support for Partitioned cookies
-------------------------------------+-------------------------------------
Reporter: Oleg | Owner: nobody
Korsak |
Type: New | Status: new
feature |
Component: CSRF | Version: 4.1
Severity: Normal | Keywords: chips, cookies,
Triage Stage: | csrf, partitioned
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi.
I'm having issues with Django app in Chrome. It is working as a standalone
and embedded into IFRAME in another system. Users tend to open both ways
in tabs. At some point they manage to overwrite (like re-login) cookies
with session id and csrf token in one tab, but Chrome overwrites them for
another one as well, while opened IFRAME has an old CSRF token in HTML. So
next request fails. No issues in Firefox.
I've found following explanation:
https://developer.chrome.com/docs/privacy-sandbox/chips/
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
So Firefox separates such cookies by default. While Chrome needs server to
set a "Partitioned" flag for cookies. But... Django is unable to do so due
to using standard Python Morsel cookie class, which doesn't support it.
--
Ticket URL: <https://code.djangoproject.com/ticket/34613>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018873030e14-5dc885fa-7ed4-4aea-b7d5-1ff8c701e5bf-000000%40eu-central-1.amazonses.com.
