Re: [Django] #9977: CSRFMiddleware needs template tag

Mon, 04 May 2009 12:48:36 -0700 

#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
          Reporter:  bthomas                 |         Owner:  lukeplant
            Status:  assigned                |     Milestone:           
         Component:  Uncategorized           |       Version:  SVN      
        Resolution:                          |      Keywords:  csrf     
             Stage:  Design decision needed  |     Has_patch:  1        
        Needs_docs:  1                       |   Needs_tests:  0        
Needs_better_patch:  1                       |  
---------------------------------------------+------------------------------
Comment (by Glenn):

 > Why don't we reject all POST requests that have neither CSRF cookie nor
 the session cookie

 The rationale was so forms don't break if the user is filtering cookies
 (eg. Privoxy), and because this was the existing behavior.

 This isn't a problem as long as CSRF exemption is being used properly.  I
 suspect it often won't be--minority cases are often overlooked.  But,
 handling login CSRF is probably more important.

 > Why do we actually need to have a unique CSRF cookie

 It probably doesn't matter; if the user has multiple sites on the same
 domain with access to each others' cookies, they have to trust each other
 anyway.

 There's a somewhat more convincing argument for explicitly including the
 CSRF form token in that PDF than the ones I've heard here: if it's added
 automatically, then any form going out of the trusted site will leak the
 token.

 Another thought: is there a specific benefit to hashing the token?  The
 cookies are sensitive data to begin with; if someone can read your
 cookies, you're already doomed.  There's a benefit to eliminating this
 hash: JavaScript that creates a form dynamically can include the CSRF
 token client-side simply by reading the cookie.  Right now, scripts
 doesn't have access to the token unless it's exposed manually in some
 other way.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:28>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to