> How so? You cannot just ajax-fetch stuff from different domains.
I'm talking about a single domain. Injected javascript on a page that
doesn't contain the CSRF token can fetch a different page on the same
domain to get it.
> If you already injected javascript onto the victims page (XSS) there is no need to fetch the CSRF token, you already got greater control.
Well, the HttpOnly flag is intended to reduce the damage an attacker
can do once the already can inject javascript. But I agree -- hiding
the CSRF token from javascript doesn't increase security in any way,
but the documentation implies it does. I want to make it clear in the
documentation that this setting has no meaningful effect.
> If you still think you have a valid attack vector there, please send it to
secu...@djangoproject.com and add a bit more explanation.
There is no attack vector. This is just about misleading documentation.
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this topic, visit
>
https://groups.google.com/d/topic/django-developers/nXjfLd8ba5k/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
>
https://groups.google.com/d/msgid/django-developers/7609a5bf-65d9-468a-8f64-c5e906cf5920%40googlegroups.com.