Tuesday, October 29, 2013

Re: setting csrftoken to httponly and building ajax forms: not going to happen?

On Sat, Oct 26, 2013 at 11:18 PM, Spork Spork <testbackupacct@gmail.com> wrote:
> Hi,
>
> I'm using Django 1.4.1b, and for security purposes would like to make the
> csrftoken cookie httponly, and therefore inaccessible from Javascript. Since
> this support is not available in my version of Django, I planned to follow
> this implementation approach:
> http://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly.
>
> But I also build AJAX requests, where I use the suggested approach outlined
> in the Django docs
> (https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#ajax), which
> involves getting the cookie and setting the x-csrftoken header in
> Javascript.
>
> It looks to me like these two goals are fundamentally incompatible. Am I
> wrong? Is there some way to have both httponly csrf cookies and AJAX?
>
> Many thanks!
>
> Spork

Yes, (unsurprisingly) if you force the CSRF cookie to be unreadable
from javascript, then you will not be able to use javascript to
extract the CSRF token from the CSRF cookie when you submit an AJAX
request.

The requirement in order to use CSRF is for your AJAX submission to
include a CSRF token. This means you must insert the token some other
way, eg by including a hidden element in the form or page that
specifies the CSRF token, and will be included when the form is
submitted via AJAX, or extracted from the page and sent with the AJAX
request.

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFHbX1%2ByLnExr2VX%3DpgMqdGpdpA6YgK6v9kZFpvv%2BG-mnxcb2Q%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)