Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#29879 closed Cleanup/optimization (fixed)

CSRF AJAX section should warn about the CSRF_COOKIE_HTTPONLY setting

Reported by: Brenton Partridge Owned by: Mayank Singhal
Component: Documentation Version: dev
Severity: Normal Keywords: csrf, settings
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Brenton Partridge)

https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly says:

"If you enable this and need to send the value of the CSRF token with an AJAX request, your JavaScript must pull the value from a hidden CSRF token form input on the page instead of from the cookie."

However, the documentation at https://docs.djangoproject.com/en/dev/ref/csrf/#ajax makes no mention of this setting; it's only barely listed at the bottom of the page. And if HttpOnly is set, then the recommendation to read the token from the cookie will fail.

Anyone inheriting a codebase, or using a boilerplate that defaults CSRF_COOKIE_HTTPONLY to True, might naturally read the CSRF AJAX page, not even realize they need to check CSRF_COOKIE_HTTPONLY, and run into issues where it's clear that the CSRF cookie is being set in the browser's storage, but isn't readable by Cookies.get('csrftoken') (which is recommended as the "canonical way to do things").

If our standard is to include code about how to read cookies, we shouldn't assume that the reader would instantly know that this mismatch is due to HttpOnly.

I'd propose modifying the preface and relevant headings on that page from:

First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS setting is enabled.

Acquiring the token if CSRF_USE_SESSIONS is False/True

to:

First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS or CSRF_COOKIE_HTTPONLY setting is enabled.

Acquiring the token if CSRF_COOKIE_HTTPONLY and CSRF_USE_SESSIONS are False

Acquiring the token if CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True

Change History (9)

comment:1 by Brenton Partridge, 5 years ago

Description: modified (diff)

comment:2 by Carlton Gibson, 5 years ago

Triage Stage: UnreviewedAccepted
Type: New featureCleanup/optimization

I’m sympathetic to this. People have hit similar issues on DRF with `CSRF_USE_SESSIONS`.

It’d at least be worth mentioning that you may have to include the CSRF token on the page.

comment:3 by Mayank Singhal, 5 years ago

Hey, can I take this up?

comment:4 by Carlton Gibson, 5 years ago

Hi storymode7. Yes, you’re very welcome. 🙂

comment:5 by Mayank Singhal, 5 years ago

Owner: changed from nobody to Mayank Singhal
Status: newassigned

comment:7 by Carlton Gibson, 5 years ago

Triage Stage: AcceptedReady for checkin

comment:8 by Tim Graham <timograham@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In 76b33670:

Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.

comment:9 by Tim Graham <timograham@…>, 5 years ago

In 4529287a:

[2.1.x] Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.

Backport of 76b3367035889d87ffef7a52cd44d70e30537f6f from master

Note: See TracTickets for help on using tickets.
Back to Top