[Django] #27534: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs
Django
------------------------------------------+------------------------
Reporter: Andrew Charles | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version:
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+------------------------
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the
{{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from
working (if using the js provided). It should note that you have to
include the csrf token via the template tag {{{{% csrf_token %}}}}, and
update the js with something like this:
{{{#!javascript
var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
if (csrftoken === null) {
console.log('No csrf token');
}
}
}}}
This is my first Django issue/ticket, sorry if I missed anything.
--
Ticket URL: <https://code.djangoproject.com/ticket/27534>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: Andrew Charles | Owner: nobody
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* version: => master
* type: Uncategorized => Cleanup/optimization
Old description:
> https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
> https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
>
> There should be a note in the CSRF AJAX docs that the
> {{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from
> working (if using the js provided). It should note that you have to
> include the csrf token via the template tag {{{{% csrf_token %}}}}, and
> update the js with something like this:
> {{{#!javascript
> var csrftoken = getCookie('csrftoken');
> if (csrftoken === null) {
> csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
> if (csrftoken === null) {
> console.log('No csrf token');
> }
> }
> }}}
>
> This is my first Django issue/ticket, sorry if I missed anything.
New description:
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the
{{{CSRF_COOKIE_HTTPONLY}}} setting will prevent non-safe ajax calls from
working (if using the js provided). It should note that you have to
include the csrf token via the template tag {{{{% csrf_token %}}}}, and
update the js with something like this:
{{{#!javascript
var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
if (csrftoken === null) {
console.log('No csrf token');
}
}
}}}
This is my first Django issue/ticket, sorry if I missed anything.
--
Comment:
It seems fine, but allegedly `CSRF_COOKIE_HTTPONLY`
[https://groups.google.com/forum/#!topic/django-developers/nXjfLd8ba5k
doesn't provide any additional security]. So I'm not sure if we're wasting
our time enhancing its documentation rather than deemphasizing it in the
documentation (or even removing it)?
--
Ticket URL: <https://code.djangoproject.com/ticket/27534#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: Andrew Charles | Owner: nobody
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Andrew Charles):
Replying to [comment:1 Tim Graham]:
> It seems fine, but allegedly `CSRF_COOKIE_HTTPONLY`
[https://groups.google.com/forum/#!topic/django-developers/nXjfLd8ba5k
doesn't provide any additional security]. So I'm not sure if we're wasting
our time enhancing its documentation rather than deemphasizing it in the
documentation (or even removing it)?
I know that a browser can ignore this setting and that it doesn't really
provide additional security, but `CSRF_COOKIE_HTTPONLY` is currently
recommended when running `python manage.py check --deploy`. Until it is
removed I think this would improve the docs and avoid confusion when using
it with AJAX.
--
Ticket URL: <https://code.djangoproject.com/ticket/27534#comment:2>
Django
--------------------------------------+------------------------------------
Reporter: Andrew Charles | Owner: nobody
Component: Documentation | Version: master
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* stage: Unreviewed => Accepted
Comment:
The technique of retrieving the CSRF token from a form input is now
[https://docs.djangoproject.com/en/dev/ref/csrf/#acquiring-the-token-if-
csrf-use-sessions-is-true documented for a different reason]. I created
#27611 to remove the check suggesting the use of `CSRF_COOKIE_HTTPONLY`,
but a brief explanation of the proposed docs with a link to the other
section seems fine.
--
Ticket URL: <https://code.djangoproject.com/ticket/27534#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: Andrew Charles | Owner: nobody
Cleanup/optimization |
Component: Documentation | Version: dev
Severity: Normal | Resolution: duplicate
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* status: new => closed
* resolution: => duplicate
Comment:
Duplicate of #29879. Fixed in 76b3367035889d87ffef7a52cd44d70e30537f6f.
--
Ticket URL: <https://code.djangoproject.com/ticket/27534#comment:4>