Re: [Django] #32817: Include in CsrfViewMiddleware's bad CSRF token message where the token is from

Fri, 04 Jun 2021 12:33:22 -0700 

#32817: Include in CsrfViewMiddleware's bad CSRF token message where the token 
is
from
-------------------------------------+-------------------------------------
     Reporter:  Chris Jerdonek       |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  CSRF                 |                  Version:  dev
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Chris Jerdonek:

Old description:

> Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
> reject the request with a message like--
>
> * "CSRF token incorrect"
> * "CSRF token has incorrect length"
>
> I noticed that it would be relatively easy to include in these messages
> whether the token was obtained from `POST` data or a custom header, which
> would be useful for troubleshooting. The new messages could look e.g.
> like--
>
> * "CSRF token (from POST) incorrect"
> * "CSRF token (from 'X-CSRFToken' header) has incorrect length"
>
> The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would
> make these cases easy to test.

New description:

 Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
 reject the request with a message like--

 * "CSRF token incorrect"
 * "CSRF token has incorrect length"

 I noticed that it would be relatively easy to include in these messages
 whether the token was obtained from `POST` data or a custom header, which
 would be useful for troubleshooting. The messages are specified
 
[https://github.com/django/django/blob/213850b4b9641bdcb714172999725ec9aa9c9e84/django/middleware/csrf.py#L411-L417
 here in the code]. The new messages could look e.g. like--

 * "CSRF token (from POST) incorrect"
 * "CSRF token (from 'X-CSRFToken' header) has incorrect length"

 The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would make
 these cases easy to test.

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.56e17f3c75f476a136d8d4d2eb218640%40djangoproject.com.

Reply via email to