Thanks Adam,
of course I read your well-written article before diving into this topic,
thanks for sharing.
However, I don't agree about the index. The best solution is using the
CITEXT db type, which is very much alive.
Should Django to deprecate support for the db type, a 3rd party package
seems
Hello Everyone,
Looks like lax will do the trick, but it's not like there aren't legit
cases for same-site policy to be set to something less restrictive.
I agree. In my experience there are legitimate cases for setting
SameSite=None, especially concerning iframes.
Specifically, when develo
In such cases, you really do need Django's current CSRF protection.
Personally I wouldn't mind it being off by default, since SameSite=Lax
seems to be enough for most cases, but this could be a footgun for some
people.
This could be handled by the configuration checker, which runs after
rea
On Tuesday, April 18, 2023 at 8:34:14 AM UTC-5 Stratos Moros wrote:
[...] In my experience there are legitimate cases for setting
SameSite=None, especially concerning iframes.
Specifically, when developing a web app intended to be embedded as an
iframe by a different top-level origin, you can
In my experience, even SameSite None is not sufficient to use cookies
in cross-site iframes. Safari doesn't allow those cookies to be sent
unless you visit the site directly first. I've heard movements for
Firefox and/or Chrome having similar behavior, but I haven't been
working with iframes re
Well, TBH, I've just completed dealing with CSRF form in my projects. I ended
up exempting the particular view from CSRF because I didn't know how to get the
stuff to work. The problem was that django parsed the body payload, which was
JSON and thus rejected its contents (because it wasn't form
