Hi folks, after upgrading to Django 2.1, we noticed many occurrences of 403 CSRF errors for Safari 12 users. After days debugging the problem, we've pinpointed the issue to the Webkit Bug 188165: https://bugs.webkit.org/show_bug.cgi?id=188165
In simple terms, Safari 12 implementation of samesite=Lax cookies is wrong. It causes issues in many common request flows, like the OpenIdConnect flow for ASP.NET Core 2.1. For Django, the issue might be considered even worse. If the user comes from a cross-site redirection (like a tracker link from an email provider), Safari doesn't send samesite=lax cookies on the request. This causes multiple issues. We've been able to identify those three, but maybe there are more: - User will not be logged in if SESSION_COOKIE_SAMESITE = 'Lax'. That behavior is only expected if 'Strict', AFAIK. - User will not be able to make AJAX POST requests if CSRF_COOKIE_SAMESITE = 'Lax', because JS code won't be able to read the CSRF cookie. - POSTs on other open tabs/windows will fail if CSRF_COOKIE_SAMESITE = 'Lax', because Safari triggered a CSRF cookie update after the first request without cookies. Those issues do not happen on Chrome, nor Firefox. Full Django project example of the problem above is available here: https://github.com/vintasoftware/safari-samesite-cookie-issue Since Safari 12 is the current stable version and it's widely deployed on iOS devices, I believe the Django default for CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE should be None, not Lax. Upgrading to Django 2.1 caused this issue to us and frustrated many users. I think a more conservative default is necessary here to avoid breaking common use cases like visiting a web app page logged in after receiving a transactional or scheduled email. If you do not wish to change the defaults, IMHO at least a warning should be placed on the documentation. For comparison, Microsoft issued a security advisory describing the bug on ASP.NET: https://github.com/aspnet/Announcements/issues/318 Please let me know your thoughts, I can help with a PR if needed. Related Django ticket: https://code.djangoproject.com/ticket/30250 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c0911f7b-f4e9-466b-bb72-ede732a5a41a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
