Opened 11 years ago
Closed 10 years ago
#20825 closed New feature (wontfix)
Make cookies use the HTTPOnly flag by default
Reported by: | Julien Phalip | Owned by: | Julien Phalip |
---|---|---|---|
Component: | HTTP handling | Version: | 1.5 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The HttpOnly
cookie flag helps prevent the most common types of XSS attacks (see https://www.owasp.org/index.php/HttpOnly). Thus it would be preferable for Django to use it by default.
This change would be backwards-incompatible, in particular for applications that rely on cookies being accessible from genuine client-side Javascript code. Therefore this change should be clearly explained in the release notes.
Some information about the benefits and caveats of using this flag should also be added to the security section of the documentation.
This change is somewhat dependent on a resolution being found for #20755, as the Python standard library's cookies
module's management of HttpOnly
is inconsistent.
Change History (3)
comment:1 by , 11 years ago
comment:2 by , 10 years ago
Actually, accessing the CSRF cookie via JavaScript is the recommended way to use the CSRF protection with AJAX (see: https://docs.djangoproject.com/en/1.8/ref/csrf/#ajax). So, as far as the CSRF cookie is concerned, I'd close this as "wontfix".
As for set_cookie, this would break backwards compatibility and as the most important cookie, the sessison cookie, is protected, I'd also vote for wontfix here. Any other opinions?
comment:3 by , 10 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
I completely concur. For the set_cookie
default, I do see a security benefit, but I feel it's so small that it's not worth breaking the backwards compatibility. Especially when considering that this is likely to break things silently, and not be noticed in unit tests - only by vague error reports from users.
The current default for SESSION_COOKIE_HTTPONLY in current master is True. So, this concerns only the CSRF cookie, and custom cookies set though set_cookie() on a response. Are you referring to one of these specifically, or both?