Add CSRF_COOKIE_HTTPONLY config value #150

Closed
wants to merge 2 commits into
from

4 participants

@saschpe

Follow-up of #114

Copied my last comment:

Maybe it makes sense to keep the config value and set it to False by default, otherwise the current CSRF+Ajax recipe in the official Django documentation won't work (https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax) because access to 'document.cookies' is restricted (obviously). Of course there are other ways to do it (like http://erlend.oftedal.no/blog/?blogid=118) but maybe this is worth discussing beforehand.

@mlavin

Your documentation changes state that the default is True.

@saschpe

Oops, I updated the second commit. Sorry about that ;-)

@saschpe

@adrianholovaty: can you have a look again?

@ptone ptone and 2 others commented on an outdated diff Sep 27, 2012
docs/ref/settings.txt
@@ -362,6 +362,19 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent under an HTTPS connection.
+.. setting:: CSRF_COOKIE_HTTPONLY
+
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie. See :setting:`SESSION_COOKIE_HTTPONLY`.
@ptone
Django member
ptone added a line comment Sep 27, 2012

looks like a copy and paste typo from the session cookie docs

@saschpe
saschpe added a line comment Oct 3, 2012

Do you mean the :settings:SESSION_COOKIE_HTTPONLY? That was intentional, I didn't want to rephrase the good explanation that is found there.

@spookylukey
Django member
spookylukey added a line comment Oct 13, 2012

I think he meant "session cookie" which should be "CSRF cookie"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
saschpe added some commits Jun 6, 2012
@saschpe saschpe Add CSRF_COOKIE_HTTPONLY configuration value
Fixes #15808, even if there is also strict referer checking in place,
better safe than sorry.
0504721
@saschpe saschpe Set CSRF_COOKIE_HTTPONLY to False by default.
The document.cookies is often directly referenced in JavaScript AJAX code
(altough there are different ways on how to do it, even the AJAX recipe
in the official documentation does it:
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax)
75a3278
@saschpe

Ok, I fixed the documentation issues.

@spookylukey
Django member

This is technically a new feature, so it shouldn't go into 1.5.x, but can go into master. The docs will need updating slightly to reflect this. I can do this when I merge it.

@aaugustin
Django member

This patch fixes https://code.djangoproject.com/ticket/15808

Unfortunately, it's out of date and cannot be merged automatically.

Since our triage options on GitHub are limited to "open" or "closed", I'm going to close it. It's still referenced in Trac for anyone who looks at the ticket. Please re-open if you have a chance to update it.

@aaugustin aaugustin closed this Feb 1, 2013
@saschpe

Well that's crap, the pull request has been around for 8 months. Gotta rebase it then...

@nanuxbe nanuxbe pushed a commit to nanuxbe/django that referenced this pull request Jul 2, 2016
@bmispelon bmispelon Fixed #150 -- Added styling to note, admonition and warning boxes. d9bd93f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment