[Django] #29879: CSRF AJAX section should warn about the CSRF_COOKIE_HTTPONLY setting
Django
-------------------------------------+-------------------------------------
Reporter: Brenton | Owner: nobody
Partridge |
Type: New | Status: new
feature |
Component: | Version: master
Documentation |
Severity: Normal | Keywords: csrf, settings
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
says:
"If you enable this and need to send the value of the CSRF token with an
AJAX request, your JavaScript must pull the value from a hidden CSRF token
form input on the page instead of from the cookie."
However, the documentation at
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax makes no mention of
this setting; it's only barely listed at the bottom of the page. And if
HttpOnly is set, then the recommendation to read the token from the cookie
will fail.
Anyone inheriting a codebase, or using a boilerplate that defaults
CSRF_COOKIE_HTTPONLY to True, might naturally read the CSRF AJAX page, not
even realize they need to check CSRF_COOKIE_HTTPONLY, and run into issues
where it's clear that the CSRF cookie is being set in the browser's
storage, but isn't readable by `Cookies.get('csrftoken')` (which is
recommended as the "canonical way to do things").
If our standard is to include code about how to read cookies, we shouldn't
assume that the reader would instantly know that this mismatch is due to
HttpOnly.
I'd propose modifying the preface and relevant headings on that page from:
First, you must get the CSRF token. How to do that depends on whether or
not the CSRF_USE_SESSIONS setting is enabled.
Acquiring the token if CSRF_USE_SESSIONS is False/True
to:
First, you must get the CSRF token. How to do that depends on whether or
not the CSRF_USE_SESSIONS or CSRF_COOKIE_HTTPONLY setting is enabled.
Acquiring the token if CSRF_COOKIE_HTTPONLY and CSRF_USE_SESSIONS are
False
Acquiring the token if CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
--
Ticket URL: <https://code.djangoproject.com/ticket/29879>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Brenton Partridge | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: csrf, settings | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Description changed by Brenton Partridge:
Old description:
New description:
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
says:
to:
--
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:1>
Django
Reporter: Brenton Partridge | Owner: nobody
Component: Documentation | Version: master
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Carlton Gibson):
* type: New feature => Cleanup/optimization
* stage: Unreviewed => Accepted
Comment:
I’m sympathetic to this. People have hit [https://github.com/encode
/django-rest-framework/pull/6207 similar issues on DRF with
`CSRF_USE_SESSIONS`].
It’d at least be worth mentioning that you may have to include the CSRF
token on the page.
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:2>
Django
Reporter: Brenton Partridge | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Comment (by storymode7):
Hey, can I take this up?
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:3>
Django
Reporter: Brenton Partridge | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Carlton Gibson):
Hi storymode7. Yes, you’re very welcome. 🙂
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:4>
Django
-------------------------------------+-------------------------------------
Type: | storymode7
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: nobody => storymode7
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:5>
Django
-------------------------------------+-------------------------------------
Type: | Singhal
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
https://github.com/django/django/pull/10556
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:6>
Django
-------------------------------------+-------------------------------------
Type: | Singhal
Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:7>
Django
-------------------------------------+-------------------------------------
Type: | Singhal
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: csrf, settings | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"76b3367035889d87ffef7a52cd44d70e30537f6f" 76b33670]:
{{{
#!CommitTicketReference repository=""
revision="76b3367035889d87ffef7a52cd44d70e30537f6f"
Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:8>
Django
-------------------------------------+-------------------------------------
Type: | Singhal
Cleanup/optimization | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: csrf, settings | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"4529287af24899a8b09c5cba9bd4ab156a03f0ba" 4529287a]:
{{{
#!CommitTicketReference repository=""
revision="4529287af24899a8b09c5cba9bd4ab156a03f0ba"
[2.1.x] Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.
Backport of 76b3367035889d87ffef7a52cd44d70e30537f6f from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29879#comment:9>