[Django] #35796: Add setting to sign CSRF cookie

[Django]

#35796: Add setting to sign CSRF cookie
-----------------------------+----------------------------------------
Reporter: zags | Type: New feature
Status: new | Component: Core (Other)
Version: dev | Severity: Normal
Keywords: csrf cookie | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+----------------------------------------
Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie
signing infrastructure to sign the CSRF cookie. This would enable sites
running on a subdomain of a shared domain name (ex.
[SUBDOMAIN].herokuapp.com) to have protection from cookie tampering
(reducing the caveat currently under
https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

This setting should initially default to `False` for backwards
comparability, although this could be changed in a future major release.
--
Ticket URL: <https://code.djangoproject.com/ticket/35796>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#35796: Add setting to sign CSRF cookie

-------------------------------------+-------------------------------------
Reporter: Benjamin Zagorsky | Owner: (none)
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: csrf cookie signing | Triage Stage:

| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):

* component: Core (Other) => CSRF
* easy: 1 => 0
* keywords: csrf cookie => csrf cookie signing
* resolution: => wontfix
* status: new => closed

Comment:

Hello Benjamin!

Adding a new setting to Django is quite controversial, and something that
we try to avoid. Because of that, this requires an explicit agreement with
the community. Besides the new setting proposal, I do understand that this
report comes along with a new feature request, which would be adding
"automatic" CSRF cookie signing to Django. For cases like this, the
recommended path forward is to first propose and discuss the idea with the
community and gain consensus. To do that, please consider starting a new
conversation on the [https://forum.djangoproject.com/c/internals/5 Django
Forum], where you'll reach a broader audience and receive additional
feedback.

I'll close the ticket for now, but if the community agrees with the
proposal, please return to this ticket and reference the forum discussion
so we can re-open it. For more information, please refer to
[https://docs.djangoproject.com/en/stable/internals/contributing/bugs-and-
features/#requesting-features the documented guidelines for requesting
features].

Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:1>