#9977: CSRFMiddleware needs template tag ---------------------------------------------+------------------------------ Reporter: bthomas | Owner: lukeplant Status: assigned | Milestone: Component: Uncategorized | Version: SVN Resolution: | Keywords: csrf Stage: Design decision needed | Has_patch: 1 Needs_docs: 1 | Needs_tests: 0 Needs_better_patch: 1 | ---------------------------------------------+------------------------------ Comment (by lukeplant):
Glenn, a few thoughts after some reflection: 1. Why don't we reject all POST requests that have neither CSRF cookie nor the session cookie (apart from those views that have been specifically exempted of course)? The current patch will let through POST requests that don't have a CSRF cookie, which allows for login CSRF (http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf). A simple change and we can secure against login CSRF, and I can't see any disadvantage to this. 2. Why do we actually need to have a unique CSRF cookie if the user has specified a non-default session cookie name? Since the CSRF is now decoupled from the session framework, and is orthogonal to it, I don't see the need for this. 3. I think a CSRF_COOKIE_DOMAIN setting (default None) would be useful. This way, it is possible for a form that appears on one sub-domain with a target on another subdomain to be CSRF enabled and get through the mechanism. I imagine this would be particularly useful if we go with suggestion (1), which could otherwise cause a cross-sub-domain POST request to be rejected. With these addressed, I think we have an ace patch: 1. Login CSRF is eliminated (hitherto unaddressed) 2. CSRF protection is decoupled from session framework, removing most false positives caused by session key cycling 3. Post-processing is eliminated (at least for all core/contrib apps, you can still use it if you want), removing performance hit and general nastiness BTW, I've added your changes in last patch, note you need to 'svn add' some new files. We really should use git or something to collaborate on this... -- Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:27> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---