In such cases, you really do need Django's current CSRF protection. Personally I wouldn't mind it being off by default, since SameSite=Lax seems to be enough for most cases, but this could be a footgun for some people.
This could be handled by the configuration checker, which runs after reading the setup. Whenever CSRF_COOKIE_SAMESITE=None but 'django.middleware.csrf.CsrfViewMiddleware' is missing in the MIDDLEWARE <https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-MIDDLEWARE> setting, a warning shall be issued. – Jacob -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/4e9c5627-3f29-48aa-bf4d-65ec4df179e8n%40googlegroups.com.
