File Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch of Package python-django
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 4711baa..244d1f2 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -531,6 +531,7 @@ CSRF_COOKIE_NAME = 'csrftoken'
CSRF_COOKIE_DOMAIN = None
CSRF_COOKIE_PATH = '/'
CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_HTTPONLY = False
############
# MESSAGES #
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index fd8ff30..f977263 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -208,7 +208,8 @@ class CsrfViewMiddleware(object):
max_age = 60 * 60 * 24 * 7 * 52,
domain=settings.CSRF_COOKIE_DOMAIN,
path=settings.CSRF_COOKIE_PATH,
- secure=settings.CSRF_COOKIE_SECURE
+ secure=settings.CSRF_COOKIE_SECURE,
+ httponly=settings.CSRF_COOKIE_HTTPONLY
)
# Content varies with the CSRF cookie, so set the Vary header.
patch_vary_headers(response, ('Cookie',))
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 0ff9bd1..74584ad 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -482,6 +482,17 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent under an HTTPS connection.
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie.
+
CSRF_FAILURE_VIEW
-----------------
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index a1b76f6..56f5ddf 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -362,6 +362,19 @@ Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
the cookie will be marked as "secure," which means browsers may ensure that the
cookie is only sent under an HTTPS connection.
+.. setting:: CSRF_COOKIE_HTTPONLY
+
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie. See :setting:`SESSION_COOKIE_HTTPONLY`.
+
.. setting:: CSRF_FAILURE_VIEW
CSRF_FAILURE_VIEW
diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py
index 2d9b4f7..093d127 100644
--- a/tests/regressiontests/csrf_tests/tests.py
+++ b/tests/regressiontests/csrf_tests/tests.py
@@ -100,7 +100,8 @@ class CsrfViewMiddlewareTest(TestCase):
with self.settings(CSRF_COOKIE_NAME='myname',
CSRF_COOKIE_DOMAIN='.example.com',
CSRF_COOKIE_PATH='/test/',
- CSRF_COOKIE_SECURE=True):
+ CSRF_COOKIE_SECURE=True,
+ CSRF_COOKIE_HTTPONLY=True):
# token_view calls get_token() indirectly
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
@@ -109,6 +110,7 @@ class CsrfViewMiddlewareTest(TestCase):
self.assertNotEqual(csrf_cookie, False)
self.assertEqual(csrf_cookie['domain'], '.example.com')
self.assertEqual(csrf_cookie['secure'], True)
+ self.assertEqual(csrf_cookie['httponly'], True)
self.assertEqual(csrf_cookie['path'], '/test/')
self.assertTrue('Cookie' in resp2.get('Vary',''))
