Opened 8 years ago
Closed 4 years ago
#27534 closed Cleanup/optimization (duplicate)
Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
Reported by: | Andrew Charles | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the CSRF_COOKIE_HTTPONLY
setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {% csrf_token %
}, and update the js with something like this:
var csrftoken = getCookie('csrftoken'); if (csrftoken === null) { csrftoken = $('input[name="csrfmiddlewaretoken"]').val(); if (csrftoken === null) { console.log('No csrf token'); } }
This is my first Django issue/ticket, sorry if I missed anything.
Change History (4)
follow-up: 2 comment:1 by , 8 years ago
Description: | modified (diff) |
---|---|
Summary: | Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs → Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs |
Type: | Uncategorized → Cleanup/optimization |
Version: | → master |
comment:2 by , 8 years ago
Replying to Tim Graham:
It seems fine, but allegedly
CSRF_COOKIE_HTTPONLY
doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?
I know that a browser can ignore this setting and that it doesn't really provide additional security, but CSRF_COOKIE_HTTPONLY
is currently recommended when running python manage.py check --deploy
. Until it is removed I think this would improve the docs and avoid confusion when using it with AJAX.
comment:3 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|
The technique of retrieving the CSRF token from a form input is now documented for a different reason. I created #27611 to remove the check suggesting the use of CSRF_COOKIE_HTTPONLY
, but a brief explanation of the proposed docs with a link to the other section seems fine.
comment:4 by , 4 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
Duplicate of #29879. Fixed in 76b3367035889d87ffef7a52cd44d70e30537f6f.
It seems fine, but allegedly
CSRF_COOKIE_HTTPONLY
doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?