I've been working on setting up a new project that's never going to see the
light of production, so I went down the road of just disabling CSRF for
that purpose. I notably found that the Django admin still requires CSRF,
even when the middleware has been removed from the MIDDLEWARE setting. I
On Tuesday, April 18, 2023 at 8:34:14 AM UTC-5 Stratos Moros wrote:
[...] In my experience there are legitimate cases for setting
SameSite=None, especially concerning iframes.
Specifically, when developing a web app intended to be embedded as an
iframe by a different top-level origin, you
I've recently been working with other new frameworks, particularly Remix.
Coming from Django, which has had excellent CSRF for many years, one of my
first questions was how to handle CSRF protection. And the response I got
lead me to the "Lax" SameSite cookie parameter, and that I really
