Well, TBH, I've just completed dealing with CSRF form in my projects. I ended
up exempting the particular view from CSRF because I didn't know how to get the
stuff to work. The problem was that django parsed the body payload, which was
JSON and thus rejected its contents (because it wasn't form
In my experience, even SameSite None is not sufficient to use cookies
in cross-site iframes. Safari doesn't allow those cookies to be sent
unless you visit the site directly first. I've heard movements for
Firefox and/or Chrome having similar behavior, but I haven't been
working with iframes
On Tuesday, April 18, 2023 at 8:34:14 AM UTC-5 Stratos Moros wrote:
[...] In my experience there are legitimate cases for setting
SameSite=None, especially concerning iframes.
Specifically, when developing a web app intended to be embedded as an
iframe by a different top-level origin, you
In such cases, you really do need Django's current CSRF protection.
Personally I wouldn't mind it being off by default, since SameSite=Lax
seems to be enough for most cases, but this could be a footgun for some
people.
This could be handled by the configuration checker, which runs after
Hello Everyone,
Looks like lax will do the trick, but it's not like there aren't legit
cases for same-site policy to be set to something less restrictive.
I agree. In my experience there are legitimate cases for setting
SameSite=None, especially concerning iframes.
Specifically, when
Thanks Adam,
of course I read your well-written article before diving into this topic,
thanks for sharing.
However, I don't agree about the index. The best solution is using the
CITEXT db type, which is very much alive.
Should Django to deprecate support for the db type, a 3rd party package
