Django forms 在 IOS 14+ 中具有 CSRF 保护
[英]Django forms with CSRF protection in IOS 14+
问题描述
IOS 14 came out a few months ago, which defaults to blocking all third party cookies unless the user enables them specifically by disabling this option: 
IOS 14 几个月前出现,默认阻止所有第三方 cookies 除非用户通过禁用此选项专门启用它们:
Settings -> Safari -> Prevent Cross-site Tracking设置 -> Safari -> 防止跨站跟踪
This presents a problem for Django forms with csrf protection that is served inside an <iframe> from a third-party domain like this:这给 Django forms 带来了一个问题,该问题在来自第三方域的<iframe>内提供 csrf 保护,如下所示:
-----Parent website-----
| |
| ----------------- |
| | | |
| | Django form | |
| | inside | |
| | iframe | |
| | | |
| ----------------- |
| |
-------------------------
Django form sets a csrfmiddlewaretoken as a hidden form variable and also sets a cookie called csrftoken , and does the form security verification when the form is submitted. Django 表单将csrfmiddlewaretoken设置为隐藏的表单变量,还设置了一个名为csrftoken的 cookie,并在提交表单时进行表单安全验证。
The problem comes when attempting to set the cookie csrftoken while inside an <iframe> , being in a third-party website context.当尝试在<iframe>中设置 cookie csrftoken时出现问题,处于第三方网站上下文中。 In IOS 14, this cookie is rejected.在 IOS 14 中,此 cookie 被拒绝。 The form still submits without this cookie but Django rejects the form as expected.表单仍会在没有此 cookie 的情况下提交,但 Django 按预期拒绝表单。
The exact error I am getting: Forbidden (CSRF cookie not set.) , which is correct from Django's point of view.我得到的确切错误: Forbidden (CSRF cookie not set.) ,从 Django 的角度来看是正确的。
The form works correctly when we disable the Safari setting, to allow cross-site tracking.当我们禁用 Safari 设置以允许跨站点跟踪时,表单可以正常工作。 But this needs to be done at the user level, which is not practical.但这需要在用户级别完成,这是不切实际的。 The form also works correctly when being served directly in a new browser window.当直接在新浏览器 window 中提供时,该表单也可以正常工作。
Now, here are my options:现在,这是我的选择:
Disable csrf security in my form as explained in django docs (not recommended from the security point of view)
如django 文档中所述,在我的表单中禁用 csrf 安全性(从安全角度来看不推荐)Tell users to enable third-party tracking (not possible)
告诉用户启用第三方跟踪(不可能)
There are a lot of references online about Django forms and IOS that are related to issues with the SameSite: None setting, but I can't find a solution to this new IOS 14 problem for enabling non-tracking cookies inside iframes. There are a lot of references online about Django forms and IOS that are related to issues with the SameSite: None setting, but I can't find a solution to this new IOS 14 problem for enabling non-tracking cookies inside iframes. Has anyone found a solution to this problem yet?有没有人找到解决这个问题的方法?
1 个解决方案
解决方案1
0 已采纳 2021-07-02 17:15:10
It's a hard constraint for third party web pages loaded inside iframes in IOS browser.对于在 IOS 浏览器的 iframe 中加载的第三方 web 页面,这是一个硬性约束。 There is nothing that can be done to overcome this cookie limitation.无法克服此 cookie 限制。 Given that IOS is doing it, there is a chance that other browser vendors may also follow this practice in future.鉴于 IOS 正在这样做,未来其他浏览器供应商也有可能遵循这种做法。
For now, the only way is to exempt CSRF for django forms that are expected to run inside iframes.目前,唯一的方法是对预期在 iframe 中运行的 django forms 免除 CSRF。
More details to exempt CSRF in forms: https://docs.djangoproject.com/en/3.2/ref/csrf/#django.views.decorators.csrf.csrf_exempt在 forms 中豁免 CSRF 的更多详细信息: https://docs.djangoproject.com/en/3.2/ref/csrf/#django.views.decorators.csrf.csrf_exempt
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.