Though it could still ajax-in the token from a page that does have it, right?
On Sunday, April 19, 2015 at 3:42:14 AM UTC-4, Marc Tamlyn wrote: > > I'm not a security expert, but one thing I could suggest is that this > setting does mean that only javascript on a page with a POST form can > access the CSRF token. Depending on the nature of your site, this could be > a significant proportion of pages. > > On 17 April 2015 at 21:22, Gavin Wahl <gavi...@gmail.com <javascript:>> > wrote: > >> Ticket #15808 added the CSRF_COOKIE_HTTPONLY setting to set the >> HttpOnly attribute on the csrftoken cookie. The HttpOnly attribute is >> intended to prevent accessing a cookie through the DOM interface, only >> sending it over HTTP. This improves security for session cookies >> because it prevents XSS attacks from accessing the session id. >> >> The CSRF token is used through the DOM though, by embedding it in the >> HTML of a form, so it's always accesible through JavaScript anyway. >> The docs even suggest how to negate the effect of the setting: >> >> > This can help prevent malicious JavaScript from bypassing CSRF >> protection. If you enable this and need to send the value of the CSRF token >> with Ajax requests, your JavaScript will need to pull the value from a >> hidden CSRF token form input on the page instead of from the cookie. >> >> The first sentence isn't actually true. HttpOnly can't prevent >> JavaScript from obtaining the csrftoken, because the csrftoken has to >> be in the DOM anyway. The second sentence suggests doing something >> that completely negates the effect of the setting, so why use it at >> all? >> >> I understand that this setting may exist only to satisfy misguided >> security scanners and not to actually improve security. If that's the >> case, the implication that this setting improves security should be >> removed from the docs. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-develop...@googlegroups.com <javascript:>. >> To post to this group, send email to django-d...@googlegroups.com >> <javascript:>. >> Visit this group at http://groups.google.com/group/django-developers. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/CACPudh1Nn-Cz5hJivvTVcfD%3DSSB2E9ZC2s-2mnje88kARKjBfA%40mail.gmail.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/39ea42ce-3740-4441-a020-8f0480e33fd6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
