Code

Opened 5 months ago

Last modified 5 months ago

#21495 new New feature

Add a setting for CSRF Header name

Reported by: hello@… Owned by: nobody
Component: HTTP handling Version: 1.6
Severity: Normal Keywords: csrf,header,angularjs
Cc: unai@… Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

CSRF includes a few customizations in settings:
https://github.com/django/django/blob/master/django/conf/global_settings.py#L544
but neglects allowing the user to set the Header name used by the server.

It would be very helpful to have this setting to use with AngularJS. While AngularJS allows overriding the cookie and header name, it would be better for my workflow (and I'm sure others) to set this on the server side and then AngularJS's CSRF functionality will "just work".

Details on the AngularJS CSRF workings:
http://docs.angularjs.org/api/ng.$http § Cross Site Request Forgery (XSRF) Protection

Pull request:
https://github.com/django/django/pull/1958

Attachments (0)

Change History (7)

comment:1 Changed 5 months ago by zerok

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Since also the cookie name is also configurable it definitely makes sense to also make the header name configurable since it might be used from the Django-context. The same is not necessarily true for the name of the form-field so keeping this one hard-coded is IMO valid.

comment:2 Changed 5 months ago by susan

I made a separate PR that addresses other people's suggestions here: https://github.com/django/django/pull/1989 Feel free to code review; I'm unsure what test(s) to add.

comment:3 Changed 5 months ago by susan

I made a separate PR that addresses other people's suggestions here: https://github.com/django/django/pull/1989 Feel free to code review; I'm unsure what test(s) to add.

comment:4 Changed 5 months ago by anonymous

YAPR (Yet Another PR) with a different interpretation for this change: https://github.com/django/django/pull/1995

comment:5 Changed 5 months ago by unaizalakain

  • Easy pickings unset
  • Needs documentation set
  • Needs tests set

I'm +1 on the last implementation (https://github.com/django/django/pull/1995) but this needs tests and docs. I would also propose to the mailing list to follow a deprecation timeline with the settings moved inside CsrfViewMiddleware. I'd be glad if an issue initially requiring Yet An Other Setting turned out in an issue removing 6 settings.

comment:6 Changed 5 months ago by unaizalakain

  • Cc unai@… added

comment:7 Changed 5 months ago by WesAlvaro

Sure. If we're good on the idea, I'll create tests and mail the list. I much prefer the idea of configuring the middleware vs adding settings!

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.