From 98a794399086f93f4fa0e03b50bbf746bae1c9d6 Mon Sep 17 00:00:00 2001
From: Agus Hilman <gushil@gmail.com>
Date: Thu, 14 Sep 2023 20:10:35 +0700
Subject: [PATCH] Set CSRF samesite cookie to 'None'

---
 kobo/settings/base.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kobo/settings/base.py b/kobo/settings/base.py
index 34181a886e..cf0ccea1ed 100644
--- a/kobo/settings/base.py
+++ b/kobo/settings/base.py
@@ -57,11 +57,12 @@
     CSRF_TRUSTED_ORIGINS = [SESSION_COOKIE_DOMAIN]
     CSRF_COOKIE_SECURE = True
 ENKETO_CSRF_COOKIE_NAME = env.str('ENKETO_CSRF_COOKIE_NAME', '__csrf')
+CSRF_COOKIE_SAMESITE = 'None'
 
 SESSION_COOKIE_AGE = 60*60*24 # Session age is 24 hour
 SESSION_SAVE_EVERY_REQUEST = True # Renew session every request made
 SESSION_COOKIE_SECURE = True
-SESSION_COOKIE_SAMESITE  = 'None'
+SESSION_COOKIE_SAMESITE = 'None'
 
 # Instances of this model will be treated as allowed origins; see
 # https://github.com/ottoyiu/django-cors-headers#cors_model
@@ -788,7 +789,7 @@ def dj_stripe_request_callback_method():
 ]
 CSP_FRAME_ANCESTORS = CSP_OC_SITES
 CSP_CONNECT_SRC = CSP_CONNECT_SRC + CSP_OC_SITES
-CSP_FRAME_SRC = CSP_FRAME_SRC +  CSP_OC_SITES
+CSP_FRAME_SRC = CSP_FRAME_SRC + CSP_OC_SITES
 
 csp_report_uri = env.url('CSP_REPORT_URI', None)
 if csp_report_uri:  # Let environ validate uri, but set as string