Ticket #15808 added the CSRF_COOKIE_HTTPONLY setting to set the HttpOnly attribute on the csrftoken cookie. The HttpOnly attribute is intended to prevent accessing a cookie through the DOM interface, only sending it over HTTP. This improves security for session cookies because it prevents XSS attacks from accessing the session id.
The CSRF token is used through the DOM though, by embedding it in the HTML of a form, so it's always accesible through JavaScript anyway. The docs even suggest how to negate the effect of the setting: > This can help prevent malicious JavaScript from bypassing CSRF protection. If > you enable this and need to send the value of the CSRF token with Ajax > requests, your JavaScript will need to pull the value from a hidden CSRF > token form input on the page instead of from the cookie. The first sentence isn't actually true. HttpOnly can't prevent JavaScript from obtaining the csrftoken, because the csrftoken has to be in the DOM anyway. The second sentence suggests doing something that completely negates the effect of the setting, so why use it at all? I understand that this setting may exist only to satisfy misguided security scanners and not to actually improve security. If that's the case, the implication that this setting improves security should be removed from the docs. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CACPudh1Nn-Cz5hJivvTVcfD%3DSSB2E9ZC2s-2mnje88kARKjBfA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
