Opened 21 months ago

Last modified 20 months ago

#27534 new Cleanup/optimization

Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs

Reported by: Andrew Charles Owned by: nobody
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tim Graham)

https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax

There should be a note in the CSRF AJAX docs that the CSRF_COOKIE_HTTPONLY setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {% csrf_token %}, and update the js with something like this:

var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
    csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
    if (csrftoken === null) {
        console.log('No csrf token');
    }
}

This is my first Django issue/ticket, sorry if I missed anything.

Change History (3)

comment:1 Changed 21 months ago by Tim Graham

Description: modified (diff)
Summary: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docsAdd CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
Type: UncategorizedCleanup/optimization
Version: master

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

comment:2 in reply to:  1 Changed 21 months ago by Andrew Charles

Replying to Tim Graham:

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

I know that a browser can ignore this setting and that it doesn't really provide additional security, but CSRF_COOKIE_HTTPONLY is currently recommended when running python manage.py check --deploy. Until it is removed I think this would improve the docs and avoid confusion when using it with AJAX.

comment:3 Changed 20 months ago by Tim Graham

Triage Stage: UnreviewedAccepted

The technique of retrieving the CSRF token from a form input is now documented for a different reason. I created #27611 to remove the check suggesting the use of CSRF_COOKIE_HTTPONLY, but a brief explanation of the proposed docs with a link to the other section seems fine.

Note: See TracTickets for help on using tickets.
Back to Top