Hello Everyone,
Looks like lax will do the trick, but it's not like there aren't legit
cases for same-site policy to be set to something less restrictive.
I agree. In my experience there are legitimate cases for setting
SameSite=None, especially concerning iframes.
Specifically, when developing a web app intended to be embedded as an
iframe by a different top-level origin, you can't really use cookies
unless their SameSite attribute is None. This is the case even if you
manage the cookies entirely inside the iframe and its origin.
In such cases, you really do need Django's current CSRF protection.
Personally I wouldn't mind it being off by default, since SameSite=Lax
seems to be enough for most cases, but this could be a footgun for some
people.
Best,
Stratos
On 17 Apr 2023, at 10:55, Jure Erznožnik wrote:
https://security.stackexchange.com/questions/262245/are-csrf-attacks-a-thing-of-the-past
Looks like lax will do the trick, but it's not like there aren't legit
cases for same-site policy to be set to something less restrictive.
LP,
Jure
On 17. 04. 23 09:24, Jacob Rief wrote:
On Monday, April 17, 2023 at 8:45:16 AM UTC+2 Curtis Maloney wrote:
Are you implying that all CSRF attacks protected by Django's
current machinery are entirely mitigated by SameSite=Lax on the
_session_ cookiue?
Yes. Therefore imho, the CSRF protection is just some nasty legacy,
developers have to fiddle with. It doesn't add any security benefit
anymore.
That said, maybe there is still a possible attack vector on cross
site request forgeries, but I was unable to exploit them with
disabled CSRF protection.
Therefore it would be great, if someone with more hacking experience
than myself, could try this.
– Jacob
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com
<https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com?utm_medium=email&utm_source=footer>
.
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/86ced442-e7f9-aab8-9a03-d9c2362b60f9%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/CA2FC1A6-4307-4076-B158-197D8A9481B6%40gmail.com.
