Opened 6 years ago

Closed 6 years ago

#11566 closed (invalid)

CSRF documentation problem

Reported by: benlbroussard Owned by: nobody
Component: Documentation Version: 1.0
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The documentation for "Cross Site Request Forgery protection" found at http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ is both unclear and incorrect in the last paragraph before limitations where it states:

"The middleware tries to be smart about requests that come in via AJAX. Many JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header; these requests are detected and automatically not handled by this middleware. We can do this safely because, in the context of a browser, the header can only be added by using XMLHttpRequest, and browsers already implement a same-domain policy for XMLHttpRequest. (Note that this is not secure if you don't trust content within the same domain or subdomains.)"

It is true that the browsers have implemented a same-domain policy for XMLHttpRequest. The implicit statement is that the browser will only allow XMLHttpRequest requests from the same domain. This is, however, not true. Browsers will allow image, js file, css file, and AJAX requests from any domain to any domain. What it will not allow is the parsing of the AJAX response.

This means that the current CsrfMiddleware does not handle AJAX requests securely. It should validate a token for POST AJAX requests. It should fail if the token is not valid or doesn't exist.

Change History (1)

comment:1 Changed 6 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Cross-domain img, css etc. requests are not "XMLHttpRequest requests", and they are irrelevant because you cannot get the browser to set the X-Requested-With header for those requests. As for XMLHttpRequest itself, by looking at logs etc., I've verified that I cannot produce a cross-domain GET request or POST request using XMLHttpRequest (with the browsers I've tested at least). So this bug report appears to be invalid. If there are some browsers where you can use XMLHttpRequest to do a cross-domain request, please re-open, indicating which browsers.

Note: See TracTickets for help on using tickets.
Back to Top