From f7df426a5af59daec71f43e8ba6057422d8aaaef Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Mon, 21 Oct 2019 21:00:10 +0200
Subject: [PATCH] Form: added disableSameSiteProtection()

see https://forum.nette.org/cs/32609-nette-samesite-trvale-jak-resit-iframe
---
 src/Application/UI/Form.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Application/UI/Form.php b/src/Application/UI/Form.php
index 9c69289b8..9c821062c 100644
--- a/src/Application/UI/Form.php
+++ b/src/Application/UI/Form.php
@@ -20,6 +20,9 @@ class Form extends Nette\Forms\Form implements ISignalReceiver
 	/** @var callable[]&(callable(Form $sender): void)[]; Occurs when form is attached to presenter */
 	public $onAnchor;
 
+	/** @var bool */
+	private $sameSiteProtection = true;
+
 
 	/**
 	 * Application form constructor.
@@ -97,6 +100,15 @@ public function isAnchored(): bool
 	}
 
 
+	/**
+	 * Disables CSRF protection using a SameSite cookie.
+	 */
+	public function disableSameSiteProtection(): void
+	{
+		$this->sameSiteProtection = false;
+	}
+
+
 	/**
 	 * Internal: returns submitted HTTP data or null when form was not submitted.
 	 */
@@ -143,7 +155,7 @@ public function signalReceived(string $signal): void
 			$class = get_class($this);
 			throw new BadSignalException("Missing handler for signal '$signal' in $class.");
 
-		} elseif (!$this->getPresenter()->getHttpRequest()->isSameSite()) {
+		} elseif ($this->sameSiteProtection && !$this->getPresenter()->getHttpRequest()->isSameSite()) {
 			$this->getPresenter()->detectedCsrf();
 
 		} elseif (!$this->getPresenter()->getRequest()->hasFlag(Nette\Application\Request::RESTORED)) {