#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: Uncategorized | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by lukeplant):
Replying to [comment:28 Glenn]:
> Another thought: is there a specific benefit to hashing the token? The
cookies are sensitive data to begin with; if someone can read your
cookies, you're already doomed. There's a benefit to eliminating this
hash: JavaScript that creates a form dynamically can include the CSRF
token client-side simply by reading the cookie. Right now, scripts
doesn't have access to the token unless it's exposed manually in some
other way.
I've pondered this too - I originally added the hashing with a server-side
secret to make sure that the form had indeed been generated by the server,
and not by anyone else.
Having thought about it, I can come up with at least one scenario where
having this hash is useful. In the case of untrusted sub-domains, a page
on `attacker.example.com` could send a header like this `Set-Cookie:
csrf=myval,domain=.example.com`. They would then be able to generate a
form targeted at `victim.example.com` containing `<input name="csrf_token"
value="myval">`, and since the token would match the cookie they set, the
CSRF attack would be successful. With the server side hashing of the
token, we avoid this. (I believe that attempts by malicious subdomains to
get around this by javascript and iframes etc. will fail due to browser
policies, just as with cross-domain attacks).
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:29>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
