Hello,
I’m wondering why django.template.context defines:
# We need the CSRF processor no matter what the user has in their settings,
# because otherwise it is a security vulnerability, and we can't afford to leave
# this to human error or failure to read migration instructions.
_builtin_context_processors = ('django.core.context_processors.csrf',)
and then forcibly prepends it to settings.TEMPLATE_CONTEXT_PROCESSORS.
If the template context processor was missing, {% csrf_token %} wouldn’t output anything in templates. Then it would be impossible to submit forms, but that would be a bug.
The CSRF context processor even has a branch that returns NOTPROVIDED. {% csrf_token %} specifically tests for this case and doesn’t output anything when it happens.
So I fail to find the security vulnerability the comment talks about. I didn’t find the answer in:
-
https://github.com/django/django/commit/8e70cef9b67433edd70935dcc30c621d1e7fc0a0
-
https://code.djangoproject.com/ticket/9977
-
https://code.djangoproject.com/wiki/CsrfProtection
Does anyone remembers the reasoning?
Thanks,
--
Aymeric.