Re: [Django] #27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs

2021-04-21 Thread Django 
#27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
-+-
 Reporter:  Andrew Charles   |Owner:  nobody
 Type:   |   Status:  closed
  Cleanup/optimization   |
Component:  Documentation|  Version:  dev
 Severity:  Normal   |   Resolution:  duplicate
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * status:  new => closed
 * resolution:   => duplicate


Comment:

 Duplicate of #29879. Fixed in 76b3367035889d87ffef7a52cd44d70e30537f6f.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.d2fe3069a97f695259958d5bc1a80cb3%40djangoproject.com.

Re: [Django] #27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs

2016-12-16 Thread Django 
#27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
--+
 Reporter:  Andrew Charles|Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Tim Graham):

 * stage:  Unreviewed => Accepted


Comment:

 The technique of retrieving the CSRF token from a form input is now
 [https://docs.djangoproject.com/en/dev/ref/csrf/#acquiring-the-token-if-
 csrf-use-sessions-is-true documented for a different reason]. I created
 #27611 to remove the check suggesting the use of `CSRF_COOKIE_HTTPONLY`,
 but a brief explanation of the proposed docs with a link to the other
 section seems fine.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.ce3b5f359a0f9c946c5dc61fb9b203ca%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs

2016-11-28 Thread Django 
#27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
-+-
 Reporter:  Andrew Charles   |Owner:  nobody
 Type:   |   Status:  new
  Cleanup/optimization   |
Component:  Documentation|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
 |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Andrew Charles):

 Replying to [comment:1 Tim Graham]:
 > It seems fine, but allegedly `CSRF_COOKIE_HTTPONLY`
 [https://groups.google.com/forum/#!topic/django-developers/nXjfLd8ba5k
 doesn't provide any additional security]. So I'm not sure if we're wasting
 our time enhancing its documentation rather than deemphasizing it in the
 documentation (or even removing it)?
 I know that a browser can ignore this setting and that it doesn't really
 provide additional security, but `CSRF_COOKIE_HTTPONLY` is currently
 recommended when running `python manage.py check --deploy`. Until it is
 removed I think this would improve the docs and avoid confusion when using
 it with AJAX.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.4bbbc4dd45e0ff36d82f164d3f7a1693%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs (was: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs)

2016-11-25 Thread Django 
#27534: Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
-+-
 Reporter:  Andrew Charles   |Owner:  nobody
 Type:   |   Status:  new
  Cleanup/optimization   |
Component:  Documentation|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:
 |  Unreviewed
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * version:   => master
 * type:  Uncategorized => Cleanup/optimization


Old description:

> https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
> https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
>
> There should be a note in the CSRF AJAX docs that the
> {{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from
> working (if using the js provided). It should note that you have to
> include the csrf token via the template tag % csrf_token %, and
> update the js with something like this:
> {{{#!javascript
> var csrftoken = getCookie('csrftoken');
> if (csrftoken === null) {
> csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
> if (csrftoken === null) {
> console.log('No csrf token');
> }
> }
> }}}
>
> This is my first Django issue/ticket, sorry if I missed anything.

New description:

 https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
 https://docs.djangoproject.com/en/dev/ref/csrf/#ajax

 There should be a note in the CSRF AJAX docs that the
 {{{CSRF_COOKIE_HTTPONLY}}} setting will prevent non-safe ajax calls from
 working (if using the js provided). It should note that you have to
 include the csrf token via the template tag % csrf_token %, and
 update the js with something like this:
 {{{#!javascript
 var csrftoken = getCookie('csrftoken');
 if (csrftoken === null) {
 csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
 if (csrftoken === null) {
 console.log('No csrf token');
 }
 }
 }}}

 This is my first Django issue/ticket, sorry if I missed anything.

--

Comment:

 It seems fine, but allegedly `CSRF_COOKIE_HTTPONLY`
 [https://groups.google.com/forum/#!topic/django-developers/nXjfLd8ba5k
 doesn't provide any additional security]. So I'm not sure if we're wasting
 our time enhancing its documentation rather than deemphasizing it in the
 documentation (or even removing it)?

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.a9eb581db56bb21a59e6d2543fa1d06a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.