No CSRF cookie for docs pages

[davidfischer]

This marks docs pages served by Django as CSRF exempt. This should prevent a CSRF cookie from being set (it does in dev at least).

[ericholscher]

Most doc pages are served directly from nginx, so is this a common issue in production?

I'd also imagine the footer API could be setting cookies, and would likely be called on all pages.

[ericholscher]

We should include a comment here about why we're making these exempt (no cookies on doc pages)

[ericholscher]

Looks like the doc pages & footer don't return Cookies at all. So I guess this is just catching the last of the cookie-setting views that we have?

[ericholscher]

Looks like the 404 page also sets a cookie:

-> curl -IL http://docs.readthedocs.io/en/latest/404/
HTTP/1.1 404 Not Found
Server: nginx/1.10.3 (Ubuntu)
Vary: Accept-Encoding
Vary: Cookie, Accept-Language
Content-Type: text/html; charset=utf-8
Date: Tue, 29 May 2018 15:20:25 GMT
Transfer-Encoding: chunked
Content-Language: en
Connection: Keep-Alive
Set-Cookie: csrftoken=3WLWur0BF8UXb468SG95cVi8ShE4tmGY; expires=Tue, 28-May-2019 15:20:25 GMT; httponly; Max-Age=31449600; Path=/

[davidfischer]

the footer API could be setting cookies

It doesn't appear to be.

Looks like the 404 page also sets a cookie

This is a good catch! This is part of the problem.

[davidfischer]

csrf_exempt does not do what I thought it did. It does not prevent the CSRF cookie from being set.

I tracked this problem down a little deeper. It looks like the cookie getting set unnecessarily is 100% due to the 404 page setting the CSRF cookie. The 404 page sets the CSRF cookie because of the set language form in the footer of the 404 page. I failed to notice this partially because some of our docs (notably https://docs.readthedocs.io/en/latest/) always have a 404 due to this (unnecessary?) line but others don't.

I see a couple solutions:

• Simply remove the set language form from the 404 page
• Have a more simplified 404 page

Thoughts?

[ericholscher]

Removing the form from the 404 page seems like a simple solution, if there's an easy way to do it.

[davidfischer]

I removed the language select form from the error pages. This removes setting the cookie.

[ericholscher]

This looks like an elegant solution. 👍

[humitos]

Just want to mention that we might need the same for the corporate site on the same files:

• 404.html extends from community's 404 template, https://github.com/readthedocs/readthedocs-corporate/blob/6e6e450e2b9a4bad55e53f958df83875bdbbe57f/readthedocsinc/corporate/templates/serve/404.html#L1 --so, I think nothing to do here
• 401.html extends from base.html, https://github.com/readthedocs/readthedocs-corporate/blob/6e6e450e2b9a4bad55e53f958df83875bdbbe57f/readthedocsinc/corporate/templates/401.html#L1 --so, we will need to update it

The other templates modified in PRs are not override in corporate, so nothing to do I suppose.

[davidfischer]

I'm not as concerned if corporate hosted docs set a CSRF cookie although it may still be good to look at. Typically, we have a relationship with people visiting corporate docs.