id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32800	CsrfViewMiddleware unnecessarily masks CSRF cookie	Chris Jerdonek	Chris Jerdonek	"I noticed that `CsrfViewMiddleware` unnecessarily masks the CSRF cookie. See, for example:
https://github.com/django/django/blob/d270dd584e0af12fe6229fb712d0704c232dc7e5/django/middleware/csrf.py#L91

My understanding of the [http://breachattack.com/ BREACH attack] is that the vulnerability comes from not masking the CSRF token in the response body (e.g. what is included in the HTML). Masking the cookie itself doesn't help with this. (Django also [https://github.com/django/django/blob/d270dd584e0af12fe6229fb712d0704c232dc7e5/django/middleware/csrf.py#L308-L309 doesn't change the mask] of the cookie with each request, so the mask wouldn't help in this regard anyways.)

Some advantages of not masking the cookie are: It would simplify the code in `CsrfViewMiddleware` because it would remove some complexity and operations that aren't needed for security. Currently, masking the CSRF cookie is a red herring for someone wanting to understand the various security  features. Also, not masking the cookie would make requests and responses smaller when `CSRF_USE_SESSIONS` is false or when true and cookie-based sessions are used. This is because masking doubles the length of the string.

This can be changed fairly easily while (1) continuing to respect masked cookie values, and (2) not forcing session stores to update their cookie in its unmasked form if they are currently storing it masked.
"	Cleanup/optimization	closed	CSRF	dev	Normal	fixed		Shai Berger Florian Apolloner	Ready for checkin	1	0	0	0	0	0