Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs

[Andrew Charles]

​https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
​https://docs.djangoproject.com/en/dev/ref/csrf/#ajax

There should be a note in the CSRF AJAX docs that the CSRF_COOKIE_HTTPONLY setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {% csrf_token %}, and update the js with something like this:

var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
    csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
    if (csrftoken === null) {
        console.log('No csrf token');
    }
}

This is my first Django issue/ticket, sorry if I missed anything.

[Tim Graham]

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY ​doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

[Andrew Charles]

Replying to Tim Graham:

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY ​doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

I know that a browser can ignore this setting and that it doesn't really provide additional security, but CSRF_COOKIE_HTTPONLY is currently recommended when running python manage.py check --deploy. Until it is removed I think this would improve the docs and avoid confusion when using it with AJAX.

[Tim Graham]

The technique of retrieving the CSRF token from a form input is now ​documented for a different reason. I created #27611 to remove the check suggesting the use of CSRF_COOKIE_HTTPONLY, but a brief explanation of the proposed docs with a link to the other section seems fine.

[Mariusz Felisiak]

Duplicate of #29879. Fixed in 76b3367035889d87ffef7a52cd44d70e30537f6f.