subject:"\[Django\] #30250\: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default"

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-20 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  closed
Component:  Core (Other) |  Version:  2.1
 Severity:  Normal   |   Resolution:  duplicate
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Someday/Maybe
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * status:  new => closed
 * resolution:   => duplicate


Comment:

 Duplicate of #29975.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.7401b2b7ad0c25add0be123e203637bd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Core (Other) |  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Someday/Maybe
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Maciej Olko):

 * cc: Maciej Olko (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.bb65e861e268b901b474ab079865f031%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Core (Other) |  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Someday/Maybe
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Flávio Juvenal):

 Thanks Tim, thread created on django-developers:
 https://groups.google.com/d/msg/django-developers/b_7XQYFaVeU/7M5KtGM2CAAJ

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.ad3c09a25e3778f4c960cbd836689908%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Core (Other) |  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Someday/Maybe
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Description changed by Flávio Juvenal:

Old description:

> There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
> issue] that prevents common flows (sequences of requests) to work
> properly if there's `SameSite=lax` on cookies. This issue was
> [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
> Bates, from Apple] and it's still open.
>
> Examples of broken flows:
> - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
> asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
> - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
> cookie-issue-with-safari-12/
> - Validating an email: https://bugs.webkit.org/show_bug.cgi?id=188165#c40
> - SAML flow: https://github.com/IronCountySchoolDistrict/django-
> python3-saml/issues/1
>
> Since Safari 12 is the current stable version and it's widely deployed on
> iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
> `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
> general solution and it's
> [https://github.com/aspnet/Announcements/issues/318 the one recommended
> by Microsoft to fix the similar issue on ASP.NET] (they didn't change the
> default, though).
>
> Core developers, could you please let me know if you agree with that
> change, so I can make a PR updating the defaults and the documentation?
>
> I think both CSRF and Session cookies shouldn't have the SameSite flag
> because I've found many 403 Forbidden issues on both on Safari 12. If
> more steps to reproduce beyond the links above are necessary, please let
> me know.

New description:

 There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
 issue] that prevents common flows (sequences of requests) to work properly
 if there's `SameSite=lax` on cookies. This issue was
 [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
 Bates, from Apple] and it's still open.

 Examples of broken flows:
 - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
 asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
 - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
 cookie-issue-with-safari-12/
 - Validating an email: https://bugs.webkit.org/show_bug.cgi?id=188165#c40
 - SAML flow: https://github.com/IronCountySchoolDistrict/django-
 python3-saml/issues/1

 Since Safari 12 is the current stable version and it's widely deployed on
 iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
 `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
 general solution and it's
 [https://github.com/aspnet/Announcements/issues/318 the one recommended by
 Microsoft to fix the similar issue on ASP.NET] (they didn't change the
 default, though).

 Core developers, could you please let me know if you agree with that
 change, so I can make a PR updating the defaults and the documentation?

 I think both CSRF and Session cookies shouldn't have the SameSite flag
 because I've found many 403 Forbidden issues on both on Safari 12. If more
 steps to reproduce beyond the links above are necessary, please let me
 know.

 ---
 Update:

 In fact, a much simpler flow is broken on Safari 12 with the default "Lax"
 settings.
 If the user comes from a cross-site redirection (like a tracker link from
 an email provider), Safari doesn't send samesite=lax cookies on the
 request. This causes multiple issues:
 1. User will not be logged in if `SESSION_COOKIE_SAMESITE = 'Lax'`. That
 behavior is only expected if `'Strict'`.
 2. User will not be able to make AJAX POST requests if
 `CSRF_COOKIE_SAMESITE = 'Lax'`, because JS code won't be able to read the
 CSRF cookie.
 3. POSTs on other open tabs/windows will fail if `CSRF_COOKIE_SAMESITE =
 'Lax'`, because Safari triggered a CSRF cookie update after the first
 request without cookies.

 Those issues do not happen on Chrome.
 Full example here: https://github.com/vintasoftware/safari-samesite-
 cookie-issue

--

-- 
Ticket URL: 
Django 
The Web framework

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Core (Other) |  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Someday/Maybe
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * component:  Uncategorized => Core (Other)
 * easy:  1 => 0
 * stage:  Unreviewed => Someday/Maybe


Comment:

 Please raise the issue on the DevelopersMailingList as it gets more
 attention than this ticket tracker.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.39ebee0c756270e0b7978bb7e51a3eea%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Uncategorized|  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Description changed by Flávio Juvenal:

Old description:

> There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
> issue] that prevents common flows (sequences of requests) to work
> properly if there's `SameSite=lax` on cookies. This issue was
> [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
> Bates, from Apple] and it's still open.
>
> Examples of broken flows:
> - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
> asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
> - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
> cookie-issue-with-safari-12/
> - Clicking a link on an email:
> https://bugs.webkit.org/show_bug.cgi?id=188165#c40
> - SAML flow: https://github.com/IronCountySchoolDistrict/django-
> python3-saml/issues/1
>
> Since Safari 12 is the current stable version and it's widely deployed on
> iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
> `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
> general solution and it's
> [https://github.com/aspnet/Announcements/issues/318 the one recommended
> by Microsoft to fix the similar issue on ASP.NET] (they didn't change the
> default, though).
>
> Core developers, could you please let me know if you agree with that
> change, so I can make a PR updating the defaults and the documentation?
>
> I think both CSRF and Session cookies shouldn't have the SameSite flag
> because I've found many 403 Forbidden issues on both on Safari 12. If
> more steps to reproduce beyond the links above are necessary, please let
> me know.

New description:

 There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
 issue] that prevents common flows (sequences of requests) to work properly
 if there's `SameSite=lax` on cookies. This issue was
 [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
 Bates, from Apple] and it's still open.

 Examples of broken flows:
 - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
 asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
 - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
 cookie-issue-with-safari-12/
 - Validating an email: https://bugs.webkit.org/show_bug.cgi?id=188165#c40
 - SAML flow: https://github.com/IronCountySchoolDistrict/django-
 python3-saml/issues/1

 Since Safari 12 is the current stable version and it's widely deployed on
 iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
 `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
 general solution and it's
 [https://github.com/aspnet/Announcements/issues/318 the one recommended by
 Microsoft to fix the similar issue on ASP.NET] (they didn't change the
 default, though).

 Core developers, could you please let me know if you agree with that
 change, so I can make a PR updating the defaults and the documentation?

 I think both CSRF and Session cookies shouldn't have the SameSite flag
 because I've found many 403 Forbidden issues on both on Safari 12. If more
 steps to reproduce beyond the links above are necessary, please let me
 know.

--

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.a64649e6ee863592fcd8353ba5ba04b3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Uncategorized|  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Description changed by Flávio Juvenal:

Old description:

> There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
> issue] that prevents common flows (sequences of requests) to work
> properly if there's `SameSite=lax` on cookies. This issue was
> [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
> Bates, from Apple] and it's still open.
>
> Examples of broken flows:
> - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
> asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
> - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
> cookie-issue-with-safari-12/
> - Clicking a link on an email:
> https://bugs.webkit.org/show_bug.cgi?id=188165#c40
> - SAML flow: https://github.com/IronCountySchoolDistrict/django-
> python3-saml/issues/1
>
> Since Safari 12 is the current stable version and it's widely deployed on
> iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
> `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
> general solution and it's
> [https://github.com/aspnet/Announcements/issues/318 the one recommended
> by Microsoft to fix the similar issue on ASP.NET].
>
> Core developers, could you please let me know if you agree with that
> change, so I can make a PR updating the defaults and the documentation?
>
> I think both CSRF and Session cookies shouldn't have the SameSite flag
> because I've found many 403 Forbidden issues on both on Safari 12. If
> more steps to reproduce beyond the links above are necessary, please let
> me know.

New description:

 There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
 issue] that prevents common flows (sequences of requests) to work properly
 if there's `SameSite=lax` on cookies. This issue was
 [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
 Bates, from Apple] and it's still open.

 Examples of broken flows:
 - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
 asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
 - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
 cookie-issue-with-safari-12/
 - Clicking a link on an email:
 https://bugs.webkit.org/show_bug.cgi?id=188165#c40
 - SAML flow: https://github.com/IronCountySchoolDistrict/django-
 python3-saml/issues/1

 Since Safari 12 is the current stable version and it's widely deployed on
 iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
 `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
 general solution and it's
 [https://github.com/aspnet/Announcements/issues/318 the one recommended by
 Microsoft to fix the similar issue on ASP.NET] (they didn't change the
 default, though).

 Core developers, could you please let me know if you agree with that
 change, so I can make a PR updating the defaults and the documentation?

 I think both CSRF and Session cookies shouldn't have the SameSite flag
 because I've found many 403 Forbidden issues on both on Safari 12. If more
 steps to reproduce beyond the links above are necessary, please let me
 know.

--

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.17ce5e6f39c4277530822baf5984fff2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Uncategorized|  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Description changed by Flávio Juvenal:

Old description:

> There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
> issue] that prevents common flows (sequences of requests) to work
> properly if there's `SameSite=lax` on cookies. This issue was
> [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
> Bates, from Apple] and it's still open.
>
> Examples of broken flows:
> - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
> asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
> - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
> cookie-issue-with-safari-12/
> - Clicking a link on an email:
> https://bugs.webkit.org/show_bug.cgi?id=188165#c40
> - SAML flow: https://github.com/IronCountySchoolDistrict/django-
> python3-saml/issues/1
>
> Since Safari 12 is the current stable version and it's widely deployed on
> iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
> `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the more
> general solution and it's
> [https://github.com/aspnet/Announcements/issues/318 the one recommended
> by Microsoft to fix the similar issue on ASP.NET].
>
> Core developers, could you please let me know if you agree with that
> change, so I can make a PR updating the defaults and the documentation?
>
> I think both CSRF and Session cookies shouldn't have the SameSite flag
> because I've found many 403 Forbidden issues on both on Safari 12. If
> more steps to reproduce beyond the links above are necessary, please let
> me know.

New description:

 There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
 issue] that prevents common flows (sequences of requests) to work properly
 if there's `SameSite=lax` on cookies. This issue was
 [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
 Bates, from Apple] and it's still open.

 Examples of broken flows:
 - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
 asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
 - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
 cookie-issue-with-safari-12/
 - Clicking a link on an email:
 https://bugs.webkit.org/show_bug.cgi?id=188165#c40
 - SAML flow: https://github.com/IronCountySchoolDistrict/django-
 python3-saml/issues/1

 Since Safari 12 is the current stable version and it's widely deployed on
 iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
 `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the most
 general solution and it's
 [https://github.com/aspnet/Announcements/issues/318 the one recommended by
 Microsoft to fix the similar issue on ASP.NET].

 Core developers, could you please let me know if you agree with that
 change, so I can make a PR updating the defaults and the documentation?

 I think both CSRF and Session cookies shouldn't have the SameSite flag
 because I've found many 403 Forbidden issues on both on Safari 12. If more
 steps to reproduce beyond the links above are necessary, please let me
 know.

--

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.71452dfd91d2084c1d408b8f2b65f79f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
 Reporter:  Flávio Juvenal   |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Uncategorized|  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
  samesite,csrf,session,cookies  |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  1|UI/UX:  0
-+-
Description changed by Flávio Juvenal:

Old description:

> There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
> issue] that prevents common flows (sequences of requests) to work
> properly if there's `SameSite=lax` on cookies. This issue was
> [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
> Bates, from Apple] and it's still open.
>
> Examples of broken flows:
> - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
> asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
> - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
> cookie-issue-with-safari-12/
> - Clicking a link on an email:
> https://bugs.webkit.org/show_bug.cgi?id=188165#c40
> - SAML flow: https://github.com/IronCountySchoolDistrict/django-
> python3-saml/issues/1
>
> Since Safari 12 is the current stable version and it's widely deployed on
> iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
> `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`.
>
> Core developers, could you please let me know if you agree with that
> change, so I can make a PR updating the defaults and the documentation?
>
> I think both CSRF and Session cookies shouldn't have the SameSite flag
> because I've found many 403 Forbidden issues on both on Safari 12. If
> more steps to reproduce beyond the links above are necessary, please let
> me know.

New description:

 There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
 issue] that prevents common flows (sequences of requests) to work properly
 if there's `SameSite=lax` on cookies. This issue was
 [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
 Bates, from Apple] and it's still open.

 Examples of broken flows:
 - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
 asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
 - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
 cookie-issue-with-safari-12/
 - Clicking a link on an email:
 https://bugs.webkit.org/show_bug.cgi?id=188165#c40
 - SAML flow: https://github.com/IronCountySchoolDistrict/django-
 python3-saml/issues/1

 Since Safari 12 is the current stable version and it's widely deployed on
 iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
 `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`. That's the more
 general solution and it's
 [https://github.com/aspnet/Announcements/issues/318 the one recommended by
 Microsoft to fix the similar issue on ASP.NET].

 Core developers, could you please let me know if you agree with that
 change, so I can make a PR updating the defaults and the documentation?

 I think both CSRF and Session cookies shouldn't have the SameSite flag
 because I've found many 403 Forbidden issues on both on Safari 12. If more
 steps to reproduce beyond the links above are necessary, please let me
 know.

--

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.c61b85799948e3cde8303fd09a148ac5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

[Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

2019-03-13 Thread Django

#30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies
should NOT be Lax by default
-+-
   Reporter:  Flávio |  Owner:  nobody
  Juvenal|
   Type:  Bug| Status:  new
  Component: |Version:  2.1
  Uncategorized  |   Keywords:
   Severity:  Normal |  samesite,csrf,session,cookies
   Triage Stage: |  Has patch:  0
  Unreviewed |
Needs documentation:  0  |Needs tests:  0
Patch needs improvement:  0  |  Easy pickings:  1
  UI/UX:  0  |
-+-
 There's a [https://bugs.webkit.org/show_bug.cgi?id=188165 iOS Safari 12
 issue] that prevents common flows (sequences of requests) to work properly
 if there's `SameSite=lax` on cookies. This issue was
 [https://bugs.webkit.org/show_bug.cgi?id=188165#c27 confirmed by Daniel
 Bates, from Apple] and it's still open.

 Examples of broken flows:
 - OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-
 asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
 - Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-
 cookie-issue-with-safari-12/
 - Clicking a link on an email:
 https://bugs.webkit.org/show_bug.cgi?id=188165#c40
 - SAML flow: https://github.com/IronCountySchoolDistrict/django-
 python3-saml/issues/1

 Since Safari 12 is the current stable version and it's widely deployed on
 iOS devices, I believe the Django default for `CSRF_COOKIE_SAMESITE` and
 `SESSION_COOKIE_SAMESITE` should be `None`, not `Lax`.

 Core developers, could you please let me know if you agree with that
 change, so I can make a PR updating the defaults and the documentation?

 I think both CSRF and Session cookies shouldn't have the SameSite flag
 because I've found many 403 Forbidden issues on both on Safari 12. If more
 steps to reproduce beyond the links above are necessary, please let me
 know.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/047.621c31832fa37a6ece5b2a640ba40c09%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

Re: [Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

[Django] #30250: Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default

10 matches

Site Navigation

Mail list logo

Footer information