p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #29879 -- Added CSRF_COOKIE_HTTPONLY to CSRF AJAX docs.

This commit is contained in:
Mayank Singhal 2018-10-25 01:52:57 +05:30 committed by Tim Graham
parent f1d1634493
commit 76b3367035
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/ref/csrf.txt
View File

@ -66,10 +66,13 @@ often easier because many JavaScript frameworks provide hooks that allow
headers to be set on every request.
First, you must get the CSRF token. How to do that depends on whether or not
the :setting:`CSRF_USE_SESSIONS` setting is enabled.
the :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` settings
are enabled.
Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. _acquiring-csrf-token-from-cookie:
Acquiring the token if :setting:`CSRF_USE_SESSIONS` and :setting:`CSRF_COOKIE_HTTPONLY` are ``False``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The recommended source for the token is the ``csrftoken`` cookie, which will be
set if you've enabled CSRF protection for your views as outlined above.
@ -122,11 +125,14 @@ The above code could be simplified by using the `JavaScript Cookie library
Django provides a view decorator which forces setting of the cookie:
:func:`~django.views.decorators.csrf.ensure_csrf_cookie`.
Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``True``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. _acquiring-csrf-token-from-html:
If you activate :setting:`CSRF_USE_SESSIONS`, you must include the CSRF token
in your HTML and read the token from the DOM with JavaScript:
Acquiring the token if :setting:`CSRF_USE_SESSIONS` or :setting:`CSRF_COOKIE_HTTPONLY` is ``True``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you activate :setting:`CSRF_USE_SESSIONS` or
:setting:`CSRF_COOKIE_HTTPONLY`, you must include the CSRF token in your HTML
and read the token from the DOM with JavaScript:
.. code-block:: html+django

5
docs/ref/settings.txt
View File

@ -335,8 +335,9 @@ Although the setting offers little practical benefit, it's sometimes required
by security auditors.
If you enable this and need to send the value of the CSRF token with an AJAX
request, your JavaScript must pull the value from a hidden CSRF token form
input on the page instead of from the cookie.
request, your JavaScript must pull the value :ref:`from a hidden CSRF token
form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie
<acquiring-csrf-token-from-cookie>`.
See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.