Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

I have just checked and the Django blog uses restructured text (or raw html) for the blog post. So if someone feels like writing a blogpost (I'll take care of formatting and posting) that would be most welcome and amazing! (Sorry for not being able to do it myself). Cheers, Florian On Friday,

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

On Thursday, March 28, 2019 at 11:37:21 PM UTC+1, Flávio Junior wrote: > > So new iOS and Mac minor versions were launched, but issue is still there. > Created a new bug ticket on Webkit and they're being able to reproduce > better the problem: https://bugs.webkit.org/show_bug.cgi?id=196375 > Ho

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

So new iOS and Mac minor versions were launched, but issue is still there. Created a new bug ticket on Webkit and they're being able to reproduce better the problem: https://bugs.webkit.org/show_bug.cgi?id=196375 Hope they can reach a solution soon! Florian, you mean a blog post on Django's blog

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

On Monday, March 18, 2019 at 10:50:17 PM UTC+1, Flávio Junior wrote: > > What are the next steps? > A warning at the docs for these settings? > I guess that is the big question. We'd have to remove the warning "soonish" again I guess once safari is fixed (after all one wants the added security

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hey Mat, thanks for the input. Good to know SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None solved the issue 29975. Do you want to post there this solution? I can do it to. I've updated safari-samesite-cookie-issue to

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

You're correct that is how they rewrite the URLs, but I did know that and expect that to be the case. > On 18 Mar 2019, at 17:35, René Fleschenberg wrote: > > Hi. > > On 3/18/19 12:26 PM, Mat Gadd wrote: >> Weirdly, it appears that Gmail isn't inserting click tracking for the >> plain password

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hi. On 3/18/19 12:26 PM, Mat Gadd wrote: > Weirdly, it appears that Gmail isn't inserting click tracking for the > plain password reset link, but when I use my own URL shortener, I can > also see the google.com  redirect in play. It may > just be dev tools behaving strangely, or

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

As the author of 29975, I figured I'd weigh in here. I've set our site to use SESSION_COOKIE_SAMESITE = None and CSRF_COOKIE_SAMESITE = None and tested password reset links with and without click tracking (in additional to Gmail's tracking), and it certainly appears to fix the issue with Safari

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hi Flavio, On Friday, March 15, 2019 at 2:56:16 PM UTC+1, Flávio Junior wrote: > > > shouldn't httponly yes/no control whether JS can read the data? > > Yes. But, on Django, the default is httponly false for CSRF cookie. > So even without httponly, Safari doesn't allow JS to read the CSRF cookie.

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hi Florian, thanks for your response. > So this is a Safari bug? Yes. Lax doesn't work as intended in Safari 12. Bug was confirmed here: https://bugs.webkit.org/show_bug.cgi?id=188165#c37 (comment 37) Apple also says the newest beta versions of iOS/Mac should fix the issue: https://bugs.webkit.

Re: Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

I am wondering if this also results in https://code.djangoproject.com/ticket/29975 or if this is just a result of their tracking protection. All in all it would be great to know what Safari actually does… (sadly I do not own a Mac :/) I'll dig through #30250 soon. > - User will not be logged i

Django 2.1 default of samesite=Lax for Session and CSRF cookies cause issues on Safari 12

Hi folks, after upgrading to Django 2.1, we noticed many occurrences of 403 CSRF errors for Safari 12 users. After days debugging the problem, we've pinpointed the issue to the Webkit Bug 188165: https://bugs.webkit.org/show_bug.cgi?id=188165 In simple terms, Safari 12 implementation of samesite