id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27470	CSRF context processor never sets NOTPROVIDED	Nick Sandford	nobody	"The CSRF context processor expects `get_token` to return None when CSRF_COOKIE is not in `request.META`. When this happens, it sets `context['csrf_token']` to a sentinel value of NOTPROVIDED instead of generating a new token.

This is a regression from 1.8.

1.8: https://github.com/django/django/blob/stable/1.8.x/django/middleware/csrf.py#L51
1.10: https://github.com/django/django/blob/stable/1.10.x/django/middleware/csrf.py#L94

This is a problem if the 404 handler is called from a URL that doesn't exist. Since a view wasn't found, the CSRF middleware was never run and any existing token won't be set on `request.META`. The new token will be set by `get_token` and returned to the user, replacing the existing token. If, say, a javascript bug or a different tab is causing the 404 handler to be run after a page with a form is loaded, that form will no longer be submittable.

Do we fix this, or remove the check for `None` in the context processor?
"	Uncategorized	closed	CSRF	1.10	Normal	needsinfo		Shai Berger	Unreviewed	0	0	0	0	0	0