Opened 8 years ago
Last modified 3 years ago
#27534 closed Cleanup/optimization
Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs — at Version 1
| Reported by: | Andrew Charles | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the CSRF_COOKIE_HTTPONLY setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {% csrf_token %}, and update the js with something like this:
var csrftoken = getCookie('csrftoken'); if (csrftoken === null) { csrftoken = $('input[name="csrfmiddlewaretoken"]').val(); if (csrftoken === null) { console.log('No csrf token'); } }
This is my first Django issue/ticket, sorry if I missed anything.
Change History (1)
comment:1 by , 8 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs → Add CSRF_COOKIE_HTTPONLY note to CSRF AJAX docs |
| Type: | Uncategorized → Cleanup/optimization |
| Version: | → master |
Note:
See TracTickets
for help on using tickets.
It seems fine, but allegedly
CSRF_COOKIE_HTTPONLYdoesn't provide any additional security. So I'm not sure if we're wasting our time enhancing its documentation rather than deemphasizing it in the documentation (or even removing it)?