Meanwhile, there's a ticket [0] asking to expand the documentation of the settings.CSRF_COOKIE_HTTPONLY. If this setting doesn't provide any value, then I figure we should remove the system check that suggests to enable it and deemphasize it in the documentation and/or remove it. Is there consensus on this?
[0] https://code.djangoproject.com/ticket/27534 On Monday, May 4, 2015 at 12:21:54 PM UTC-4, Gavin Wahl wrote: > > > How so? You cannot just ajax-fetch stuff from different domains. > > I'm talking about a single domain. Injected javascript on a page that > doesn't contain the CSRF token can fetch a different page on the same > domain to get it. > > > If you already injected javascript onto the victims page (XSS) there is > no need to fetch the CSRF token, you already got greater control. > > Well, the HttpOnly flag is intended to reduce the damage an attacker > can do once the already can inject javascript. But I agree -- hiding > the CSRF token from javascript doesn't increase security in any way, > but the documentation implies it does. I want to make it clear in the > documentation that this setting has no meaningful effect. > > > If you still think you have a valid attack vector there, please send it > to secu...@djangoproject.com <javascript:> and add a bit more > explanation. > > There is no attack vector. This is just about misleading documentation. > > On Mon, May 4, 2015 at 5:58 AM, Florian Apolloner <f.apo...@gmail.com > <javascript:>> wrote: > > On Monday, April 20, 2015 at 6:38:55 AM UTC+2, Gavin Wahl wrote: > >>> > >>> > Though it could still ajax-in the token from a page that does have > it, > >>> > right? > >> > >> > >> Exactly right. > > > > > > How so? You cannot just ajax-fetch stuff from different domains. The > usual > > security policies will forbid that. If you already injected javascript > onto > > the victims page (XSS) there is no need to fetch the CSRF token, you > already > > got greater control. If you still think you have a valid attack vector > > there, please send it to secu...@djangoproject.com <javascript:> and > add a bit more > > explanation. > > > > Thanks & cheers, > > Florian > > > > -- > > You received this message because you are subscribed to a topic in the > > Google Groups "Django developers (Contributions to Django itself)" > group. > > To unsubscribe from this topic, visit > > > https://groups.google.com/d/topic/django-developers/nXjfLd8ba5k/unsubscribe. > > > To unsubscribe from this group and all its topics, send an email to > > django-develop...@googlegroups.com <javascript:>. > > To post to this group, send email to django-d...@googlegroups.com > <javascript:>. > > Visit this group at http://groups.google.com/group/django-developers. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/django-developers/7609a5bf-65d9-468a-8f64-c5e906cf5920%40googlegroups.com. > > > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/706246b4-dd5c-4176-8f7d-3f3fa6f44476%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
