id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29879	CSRF AJAX section should warn about the CSRF_COOKIE_HTTPONLY setting	Brenton Partridge	nobody	"https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly says:

""If you enable this and need to send the value of the CSRF token with an AJAX request, your JavaScript must pull the value from a hidden CSRF token form input on the page instead of from the cookie.""

However, the documentation at https://docs.djangoproject.com/en/dev/ref/csrf/#ajax makes no mention of this setting; it's only barely listed at the bottom of the page. And if HttpOnly is set, then the recommendation to read the token from the cookie will fail.

Anyone inheriting a codebase, or using a boilerplate that defaults CSRF_COOKIE_HTTPONLY to True, might naturally read the CSRF AJAX page, not even realize they need to check CSRF_COOKIE_HTTPONLY, and run into issues where it's clear that the CSRF cookie is being set in the browser's storage, but isn't readable by `Cookies.get('csrftoken')` (which is recommended as the ""canonical way to do things"").

If our standard is to include code about how to read cookies, we shouldn't assume that the reader would instantly know that this mismatch is due to HttpOnly.

I'd propose modifying the preface and relevant headings on that page from:


{{{
First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS setting is enabled.

Acquiring the token if CSRF_USE_SESSIONS is False/True
}}}


to:


{{{
First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS or CSRF_COOKIE_HTTPONLY setting is enabled.

Acquiring the token if CSRF_COOKIE_HTTPONLY and CSRF_USE_SESSIONS are False

Acquiring the token if CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
}}}
"	New feature	new	Documentation	dev	Normal		csrf, settings		Unreviewed	0	0	0	0	1	0