setting csrftoken to httponly and building ajax forms: not going to happen?

[Spork Spork]

Hi,

I'm using Django 1.4.1b, and for security purposes would like to make the csrftoken cookie httponly, and therefore inaccessible from Javascript. Since this support is not available in my version of Django, I planned to follow this implementation approach: http://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly.

But I also build AJAX requests, where I use the suggested approach outlined in the Django docs (https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#ajax), which involves getting the cookie and setting the x-csrftoken header in Javascript.

It looks to me like these two goals are fundamentally incompatible. Am I wrong? Is there some way to have both httponly csrf cookies and AJAX?

Many thanks!

Spork

[Tom Evans]

Yes, (unsurprisingly) if you force the CSRF cookie to be unreadable
from javascript, then you will not be able to use javascript to
extract the CSRF token from the CSRF cookie when you submit an AJAX
request.

The requirement in order to use CSRF is for your AJAX submission to
include a CSRF token. This means you must insert the token some other
way, eg by including a hidden element in the form or page that
specifies the CSRF token, and will be included when the form is
submitted via AJAX, or extracted from the page and sent with the AJAX
request.

Cheers

Tom