Opened 6 years ago
Last modified 6 years ago
#29879 closed Cleanup/optimization
CSRF AJAX section should warn about the CSRF_COOKIE_HTTPONLY setting — at Version 1
Reported by: | Brenton Partridge | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | csrf, settings |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly says:
"If you enable this and need to send the value of the CSRF token with an AJAX request, your JavaScript must pull the value from a hidden CSRF token form input on the page instead of from the cookie."
However, the documentation at https://docs.djangoproject.com/en/dev/ref/csrf/#ajax makes no mention of this setting; it's only barely listed at the bottom of the page. And if HttpOnly is set, then the recommendation to read the token from the cookie will fail.
Anyone inheriting a codebase, or using a boilerplate that defaults CSRF_COOKIE_HTTPONLY to True, might naturally read the CSRF AJAX page, not even realize they need to check CSRF_COOKIE_HTTPONLY, and run into issues where it's clear that the CSRF cookie is being set in the browser's storage, but isn't readable by Cookies.get('csrftoken')
(which is recommended as the "canonical way to do things").
If our standard is to include code about how to read cookies, we shouldn't assume that the reader would instantly know that this mismatch is due to HttpOnly.
I'd propose modifying the preface and relevant headings on that page from:
First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS setting is enabled. Acquiring the token if CSRF_USE_SESSIONS is False/True
to:
First, you must get the CSRF token. How to do that depends on whether or not the CSRF_USE_SESSIONS or CSRF_COOKIE_HTTPONLY setting is enabled. Acquiring the token if CSRF_COOKIE_HTTPONLY and CSRF_USE_SESSIONS are False Acquiring the token if CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True