This repository has been archived by the owner on Oct 25, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 35
Add support for SameSite=None; Secure #23
Comments
Hi, implemented this in this PR - #24 |
Was fixed in #24 |
regisb
added a commit
to overhangio/tutor
that referenced
this issue
Aug 16, 2020
Recent releases of Chrome refuse to set csrf and session cookies for which secure=False samesite=None. The "secure" attribute is not set by the SameSite middleware in v0.5.1. It was introduced in v0.6.0. Instead, the "secure" attribute is set on the sessions cookie by the openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware middleware. For the csrf cookie, the "secure" attribute is set by Django. We could certainly get rid of the SafeSessionMiddleware by upgrading the django-cookie-samesite dependency to v0.6.0. Instead, we need to define environment-specific settings manually. See: https://github.com/edx/edx-platform/pull/23671 https://github.com/edx/edx-platform/pull/24593 https://discuss.overhang.io/t/users-cannot-login-csrf-cookie-not-set/815 https://discuss.openedx.org/t/lti-xblock-and-samesite/759/3 https://blog.heroku.com/chrome-changes-samesite-cookie https://docs.djangoproject.com/en/2.2/ref/settings/#csrf-cookie-secure jotes/django-cookies-samesite#23
regisb
added a commit
to overhangio/tutor
that referenced
this issue
Aug 16, 2020
Recent releases of Chrome refuse to set csrf and session cookies for which secure=False samesite=None. The "secure" attribute is not set by the SameSite middleware in v0.5.1. It was introduced in v0.6.0. Instead, the "secure" attribute is set on the sessions cookie by the openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware middleware. For the csrf cookie, the "secure" attribute is set by Django. We could certainly get rid of the SafeSessionMiddleware by upgrading the django-cookie-samesite dependency to v0.6.0. Instead, we need to define environment-specific settings manually. See: https://github.com/edx/edx-platform/pull/23671 https://github.com/edx/edx-platform/pull/24593 https://discuss.overhang.io/t/users-cannot-login-csrf-cookie-not-set/815 https://discuss.openedx.org/t/lti-xblock-and-samesite/759/3 https://blog.heroku.com/chrome-changes-samesite-cookie https://docs.djangoproject.com/en/2.2/ref/settings/#csrf-cookie-secure jotes/django-cookies-samesite#23
What if I have an API-gateway in front with https, but the http is still in django itself behind that gateway, which will still not work. Fortunately, there's an alternative to this: https://github.com/zvyn/django-samesite-none |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://web.dev/samesite-cookie-recipes/
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://digiday.com/media/what-is-chrome-samesite/
The text was updated successfully, but these errors were encountered: