[Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-----------------------------------------+------------------------
               Reporter:  zerolab        |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  CSRF           |        Version:  2.2
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 {{{xframe_options_exempt}}} is broken with the default setting for
 {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} as of #27863.

 Our use case: an embeddable form started returning 403 when submitted
 after upgrading to 2.2

 To reproduce:
 - create a simple form
 - show it on a page with a custom view, decorated with
 {{{xframe_options_exempt}}}
 - load the view in an iframe and try to submit.

 At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/
 could do with a note about it.

--
Ticket URL: <https://code.djangoproject.com/ticket/30732>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.d17efa130154acc7a0ea38ea5338e9ee%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------+--------------------------------------
     Reporter:  zerolab        |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  new
    Component:  CSRF           |                  Version:  2.2
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Description changed by zerolab:

Old description:

> {{{xframe_options_exempt}}} is broken with the default setting for
> {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} as of
> #27863.
>
> Our use case: an embeddable form started returning 403 when submitted
> after upgrading to 2.2
>
> To reproduce:
> - create a simple form
> - show it on a page with a custom view, decorated with
> {{{xframe_options_exempt}}}
> - load the view in an iframe and try to submit.
>
> At the very least,
> https://docs.djangoproject.com/en/2.2/ref/clickjacking/ could do with a
> note about it.
New description:

 {{{xframe_options_exempt}}} is broken with the default setting for
 {{{CSRF_COOKIE_SAMESITE}}} and {{{SESSION_COOKIE_SAMESITE}}} (i.e.
 {{{Lax}}}) as of #27863.

 Our use case: an embeddable form started returning 403 when submitted
 after upgrading to 2.2

 To reproduce:
 - create a simple form
 - show it on a page with a custom view, decorated with
 {{{xframe_options_exempt}}}
 - load the view in an iframe and try to submit.

 At the very least, https://docs.djangoproject.com/en/2.2/ref/clickjacking/
 could do with a note about it.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.0ebf570601b404d5b22e7d3e02313af7%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Accepted
  Clickjacking                       |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

 * keywords:   => CSRF, SameSite, Clickjacking
 * type:  Uncategorized => Cleanup/optimization
 * component:  CSRF => Documentation
 * easy:  0 => 1
 * stage:  Unreviewed => Accepted


Comment:

 These topics are orthogonal, but, OK yes, often the reason to allow use in
 an iframe would be form submission.

 As such, a note in `docs/ref/clickjacking.txt` cross-linking to the
 `CSRF_COOKIE_SAMESITE` and/or `SESSION_COOKIE_SAMESITE` docs would seem
 appropriate.

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.57499e522d76235df1c3ee24f4933b8c%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Accepted
  Clickjacking                       |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Jezeniel Zapanta):

 * owner:  nobody => Jezeniel Zapanta
 * status:  new => assigned


Comment:

 Will handle this ticket.

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.740726db2ea340e31ab33a5bd94b7fb6%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Accepted
  Clickjacking                       |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Jezeniel Zapanta):

 Replying to [comment:2 Carlton Gibson]:
 > These topics are orthogonal, but, OK yes, often the reason to allow use
 in an iframe would be form submission.
 >
 > As such, a note in `docs/ref/clickjacking.txt` cross-linking to the
 `CSRF_COOKIE_SAMESITE` and/or `SESSION_COOKIE_SAMESITE` docs would seem
 appropriate.

 I have some questions regarding this, maybe this is somehow unrelated to
 the ticket but what if you just want to disable the `CSRF_COOKIE_SAMESITE`
 to a certain view? If we modify `CSRF_COOKIE_SAMESITE` it will be disabled
 globally, what if you want granular control over this? Will it be possibe?

 Will this also be possible?

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.9e759ac71cf0e35a42a5a0b06937652e%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Accepted
  Clickjacking                       |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Jezeniel Zapanta):

 * has_patch:  0 => 1


Comment:

 https://github.com/django/django/pull/11759

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.9e8395f6c9befb8982ac8096c96b2c2b%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  assigned
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Ready for
  Clickjacking                       |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by felixxm):

 * stage:  Accepted => Ready for checkin


--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.72b3bb5e155fbd2643fdd95ee2beb416%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  closed
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:  fixed
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Ready for
  Clickjacking                       |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"e8ad265ac882f8f118d2c4a7618bd3e3916fc13e" e8ad265a]:
 {{{
 #!CommitTicketReference repository=""
 revision="e8ad265ac882f8f118d2c4a7618bd3e3916fc13e"
 Fixed #30732 -- Doc'd that SameSite cookies flags can affect
 xframe_options_exempt.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.9722f6a8c589cae2c8b48b8da98e7733%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  closed
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:  fixed
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Ready for
  Clickjacking                       |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"9510af35fce9de740f76f04cb5216c42daa1b9f3" 9510af35]:
 {{{
 #!CommitTicketReference repository=""
 revision="9510af35fce9de740f76f04cb5216c42daa1b9f3"
 [3.0.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect
 xframe_options_exempt.

 Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.fc5282c3652ce37fd32a6f1a57037196%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30732: The default SameSite cookie flag breaks xframe_options_exempt

Django
In reply to this post by Django
#30732: The default SameSite cookie flag breaks xframe_options_exempt
-------------------------------------+-------------------------------------
     Reporter:  Dan Braghis          |                    Owner:  Jezeniel
         Type:                       |  Zapanta
  Cleanup/optimization               |                   Status:  closed
    Component:  Documentation        |                  Version:  2.2
     Severity:  Normal               |               Resolution:  fixed
     Keywords:  CSRF, SameSite,      |             Triage Stage:  Ready for
  Clickjacking                       |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"62a4a5062fb12bebe87505f9ecd1484212d85795" 62a4a50]:
 {{{
 #!CommitTicketReference repository=""
 revision="62a4a5062fb12bebe87505f9ecd1484212d85795"
 [2.2.x] Fixed #30732 -- Doc'd that SameSite cookies flags can affect
 xframe_options_exempt.

 Backport of e8ad265ac882f8f118d2c4a7618bd3e3916fc13e from master
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30732#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.41918af12e6965b860882d6c4ec7f708%40djangoproject.com.