Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FIX] website_form: allow to submit form without csrf if not logged
Chrome recently changed their SameSite policy default value from None to Lax, the session is no more shared between the webpage and the iframe. As a result, the csrf check systematically fails. After this commit, the csrf_token check is only made when you have a session. In case you are using your form in an iframe on another site, with the new cookies policy, your cookies with the session_id (linked to the csrf token) is not sent to the server and the check csrf always fails. Since the purpose of the csrf is to prevent another website to submit a form with your 'authenticated account', we can consider that if you are not logged and so have no session_id, it is no critical and we can ignore the csrf check. closes #58028 X-original-commit: f79240e Signed-off-by: Olivier Dony (odo) <odo@openerp.com> Signed-off-by: Jérémy Kersten (jke) <jke@openerp.com>
- Loading branch information