Re: [Django] #27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs (was: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs)

Fri, 25 Nov 2016 04:41:47 -0800 

#27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
-------------------------------------+-------------------------------------
     Reporter:  Andrew Charles       |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * version:   => master
 * type:  Uncategorized => Cleanup/optimization


Old description:

> https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
> https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
>
> There should be a note in the CSRF AJAX docs that the
> {{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from
> working (if using the js provided). It should note that you have to
> include the csrf token via the template tag {{{{% csrf_token %}}}}, and
> update the js with something like this:
> {{{#!javascript
> var csrftoken = getCookie('csrftoken');
> if (csrftoken === null) {
>     csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
>     if (csrftoken === null) {
>         console.log('No csrf token');
>     }
> }
> }}}
>
> This is my first Django issue/ticket, sorry if I missed anything.

New description:

 https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
 https://docs.djangoproject.com/en/dev/ref/csrf/#ajax

 There should be a note in the CSRF AJAX docs that the
 {{{CSRF_COOKIE_HTTPONLY}}} setting will prevent non-safe ajax calls from
 working (if using the js provided). It should note that you have to
 include the csrf token via the template tag {{{{% csrf_token %}}}}, and
 update the js with something like this:
 {{{#!javascript
 var csrftoken = getCookie('csrftoken');
 if (csrftoken === null) {
     csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
     if (csrftoken === null) {
         console.log('No csrf token');
     }
 }
 }}}

 This is my first Django issue/ticket, sorry if I missed anything.

--

Comment:

 It seems fine, but allegedly `CSRF_COOKIE_HTTPONLY`
 [https://groups.google.com/forum/#!topic/django-developers/nXjfLd8ba5k
 doesn't provide any additional security]. So I'm not sure if we're wasting
 our time enhancing its documentation rather than deemphasizing it in the
 documentation (or even removing it)?

--
Ticket URL: <https://code.djangoproject.com/ticket/27534#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.a9eb581db56bb21a59e6d2543fa1d06a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to