Opened 8 years ago

Closed 4 years ago

#27534 closed Cleanup/optimization (duplicate)

Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs

Reported by: Andrew Charles Owned by: nobody
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tim Graham)

https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax

There should be a note in the CSRF AJAX docs that the CSRF_COOKIE_HTTPONLY setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {% csrf_token %}, and update the js with something like this:

var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
    csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
    if (csrftoken === null) {
        console.log('No csrf token');
    }
}

This is my first Django issue/ticket, sorry if I missed anything.

Change History (4)

comment:1 by Tim Graham, 8 years ago

Description: modified (diff)
Summary: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docsAdd CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
Type: UncategorizedCleanup/optimization
Version: master

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

in reply to:  1 comment:2 by Andrew Charles, 8 years ago

Replying to Tim Graham:

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

I know that a browser can ignore this setting and that it doesn't really provide additional security, but CSRF_COOKIE_HTTPONLY is currently recommended when running python manage.py check --deploy. Until it is removed I think this would improve the docs and avoid confusion when using it with AJAX.

comment:3 by Tim Graham, 8 years ago

Triage Stage: UnreviewedAccepted

The technique of retrieving the CSRF token from a form input is now documented for a different reason. I created #27611 to remove the check suggesting the use of CSRF_COOKIE_HTTPONLY, but a brief explanation of the proposed docs with a link to the other section seems fine.

comment:4 by Mariusz Felisiak, 4 years ago

Resolution: duplicate
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top