OWASP Cheat Sheet says, "It is important to note that [the SameSite Cookie] attribute should be implemented as an additional layer *defense in depth* concept. This attribute protects the user through the browsers supporting it, and it contains as well 2 ways to bypass it as mentioned in the following section <https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1>. This attribute should not replace having a CSRF Token. Instead, it should co-exist with that token in order to protect the user in a more robust way." On Tuesday, January 12, 2021 at 5:44:56 AM UTC-5 jacob...@gmail.com wrote:
> Shouldn't we consider to put the CSRF token onto the deprecation list > anyway? > All browsers released later than 2017 support the 'SameSite' cookie > attribute <https://caniuse.com/?search=SameSite>, making the CSRF token > obsolete. > I don't know what kind of policy the Django Project follows in deprecating > browsers, but we can expect > that IE, Edge<16, Safari<12, Chrome<51, etc. won't play a major role when > Django-4 (or maybe 5?) will be released. > > Strictly speaking, the CSRF token is a hack/workaround which in an ideal > world shouldn't be required anyway. > And it always has been painful having to fiddle with it in my Django Form > Views. > > Just my two cents, > Jacob > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/915ff447-502e-45c2-8d18-bf5bee848c52n%40googlegroups.com.
