Re: [Django] #35796: Add signing support to the CSRF cookie (was: Add setting to sign CSRF cookie)
1 view
Skip to first unread message
Django
Nov 7, 2024, 4:57:57 PM11/7/24
to django-...@googlegroups.com
#35796: Add signing support to the CSRF cookie
-------------------------------------+-------------------------------------
Reporter: Benjamin Zagorsky | Owner: (none)
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: csrf cookie signing | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Benjamin Zagorsky):
* summary: Add setting to sign CSRF cookie => Add signing support to the
CSRF cookie
Old description:
> Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie
> signing infrastructure to sign the CSRF cookie. This would enable sites
> running on a subdomain of a shared domain name (ex.
> [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering
> (reducing the caveat currently under
> https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
>
> This setting should initially default to `False` for backwards
> comparability, although this could be changed in a future major release.
New description:
Django's CSRF middleware should support signing and checking signatures on
CSRF cookies. This would enable sites running on a subdomain of a shared
domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie
tampering (reducing the caveat currently under
https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
In order to do this in a backwards compatible way, Django should have a
setting `CSRF_COOKIE_SIGNING ` that takes three settings:
1. `"disabled"` (default): CSRF token is not signed, but CSRF middleware
accepts both signed and unsigned cookies.
2. `"lenient"`: CSRF token is signed, and CSRF middleware accepts both
signed and unsigned cookies.
3. `"strict"`: CSRF token is signed, and CSRF middleware only accepts
signed cookies.
This would enable people to upgrade their systems over two releases with
no disruption to users, stepping from `"disabled"` to `"lenient"` in one
release and `"lenient"` to `"strict"` in the second release.
Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-
cookie/35156/3
--
--
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Benjamin Zagorsky | Owner: (none)
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: csrf cookie signing | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Benjamin Zagorsky):
* summary: Add setting to sign CSRF cookie => Add signing support to the
CSRF cookie
Old description:
> Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie
> signing infrastructure to sign the CSRF cookie. This would enable sites
> running on a subdomain of a shared domain name (ex.
> [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering
> (reducing the caveat currently under
> https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
>
> This setting should initially default to `False` for backwards
> comparability, although this could be changed in a future major release.
New description:
Django's CSRF middleware should support signing and checking signatures on
CSRF cookies. This would enable sites running on a subdomain of a shared
domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie
tampering (reducing the caveat currently under
https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
In order to do this in a backwards compatible way, Django should have a
setting `CSRF_COOKIE_SIGNING ` that takes three settings:
1. `"disabled"` (default): CSRF token is not signed, but CSRF middleware
accepts both signed and unsigned cookies.
2. `"lenient"`: CSRF token is signed, and CSRF middleware accepts both
signed and unsigned cookies.
3. `"strict"`: CSRF token is signed, and CSRF middleware only accepts
signed cookies.
This would enable people to upgrade their systems over two releases with
no disruption to users, stepping from `"disabled"` to `"lenient"` in one
release and `"lenient"` to `"strict"` in the second release.
Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-
cookie/35156/3
--
--
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages