#29879 closed Cleanup/optimization (fixed)
CSRF AJAX section should warn about the CSRF_COOKIE_HTTPONLY setting
Reported by: | Brenton Partridge | Owned by: | Mayank Singhal |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | csrf, settings |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly says:
"If you enable this and need to send the value of the CSRF token with an AJAX request, your JavaScript must pull the value from a hidden CSRF token form input on the page instead of from the cookie."
However, the documentation at https://docs.djangoproject.com/en/dev/ref/csrf/#ajax makes no mention of this setting; it's only barely listed at the bottom of the page. And if HttpOnly is set, then the recommendation to read the token from the cookie will fail.
Anyone inheriting a codebase, or using a boilerplate that defaults CSRF_COOKIE_HTTPONLY to True, might naturally read the CSRF AJAX page, not even realize they need to check CSRF_COOKIE_HTTPONLY, and run into issues where it's clear that the CSRF cookie is being set in the browser's storage, but isn't readable by Cookies.get('csrftoken')
(which is recommended as the "canonical way to do things").
If our standard is to include code about how to read cookies, we shouldn't assume that the reader would instantly know that this mismatch is due to HttpOnly.
I'd propose modifying the preface and relevant headings on that page from:
First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS setting is enabled. Acquiring the token if CSRF_USE_SESSIONS is False/True
to:
First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS or CSRF_COOKIE_HTTPONLY setting is enabled. Acquiring the token if CSRF_COOKIE_HTTPONLY and CSRF_USE_SESSIONS are False Acquiring the token if CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
Change History (9)
comment:1 by , 6 years ago
Description: | modified (diff) |
---|
comment:2 by , 6 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | New feature → Cleanup/optimization |
comment:5 by , 6 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:7 by , 6 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
I’m sympathetic to this. People have hit similar issues on DRF with `CSRF_USE_SESSIONS`.
It’d at least be worth mentioning that you may have to include the CSRF token on the page.