Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
bug 1456165: remove csrfmiddlewaretoken from wiki.document view responses #4757
This PR removes
I'm trying to decide if we should always remove CSRF, or just for anonymous users. If we try to restrict this to anonymous users:
This might work going forward. However, if an anon user that visited MDN in the last year shows up with a CSRF cookie, then the CDN would give them a per-user cache. We'd need to add a middleware that actively deletes CSRF cookies for anonymous users, and maybe add it to logout.
OK, now for the risks:
OK, that's my preliminary thoughts. Now to actually try to code out, read it closely, etc.
@jwhitlock That's a promising idea, restricting this approach to anonymous users. That would require:
This works locally for me, and a CSRF token is not added when I visit wiki pages.
I did get an unexpected CSRF token when logging in - it appears the
django-allauth GitHub callback is adding it. More investigation is needed, but it should still be OK for our CDN interaction.