Changes between Initial Version and Version 1 of Ticket #27534


Ignore:
Timestamp:
Nov 25, 2016, 6:41:16 AM (7 years ago)
Author:
Tim Graham
Comment:

It seems fine, but allegedly CSRF_COOKIE_HTTPONLY doesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #27534

    • Property Summary Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docsAdd CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs
    • Property Type UncategorizedCleanup/optimization
    • Property Versionmaster

  • Ticket #27534 – Description

    initial v1  
    22https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
    33
    4 There should be a note in the CSRF AJAX docs that the {{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {{{{% csrf_token %}}}}, and update the js with something like this:
     4There should be a note in the CSRF AJAX docs that the {{{CSRF_COOKIE_HTTPONLY}}} setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {{{{% csrf_token %}}}}, and update the js with something like this:
    55{{{#!javascript
    66var csrftoken = getCookie('csrftoken');
Back to Top