#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: Uncategorized | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by lukeplant):
Glenn, a few thoughts after some reflection:
1. Why don't we reject all POST requests that have neither CSRF cookie
nor the session cookie (apart from those views that have been specifically
exempted of course)? The current patch will let through POST requests
that don't have a CSRF cookie, which allows for login CSRF
(http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf). A
simple change and we can secure against login CSRF, and I can't see any
disadvantage to this.
2. Why do we actually need to have a unique CSRF cookie if the user has
specified a non-default session cookie name? Since the CSRF is now
decoupled from the session framework, and is orthogonal to it, I don't see
the need for this.
3. I think a CSRF_COOKIE_DOMAIN setting (default None) would be useful.
This way, it is possible for a form that appears on one sub-domain with a
target on another subdomain to be CSRF enabled and get through the
mechanism. I imagine this would be particularly useful if we go with
suggestion (1), which could otherwise cause a cross-sub-domain POST
request to be rejected.
With these addressed, I think we have an ace patch:
1. Login CSRF is eliminated (hitherto unaddressed)
2. CSRF protection is decoupled from session framework, removing most
false positives caused by session key cycling
3. Post-processing is eliminated (at least for all core/contrib apps, you
can still use it if you want), removing performance hit and general
nastiness
BTW, I've added your changes in last patch, note you need to 'svn add'
some new files. We really should use git or something to collaborate on
this...
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:27>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
