Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Folsom
python-django
Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch of Package python-django
Index: django/conf/global_settings.py =================================================================== --- django/conf/global_settings.py.orig +++ django/conf/global_settings.py @@ -535,6 +535,7 @@ CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False +CSRF_COOKIE_HTTPONLY = False ############ # MESSAGES # Index: django/middleware/csrf.py =================================================================== --- django/middleware/csrf.py.orig +++ django/middleware/csrf.py @@ -208,7 +208,8 @@ class CsrfViewMiddleware(object): max_age = 60 * 60 * 24 * 7 * 52, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, - secure=settings.CSRF_COOKIE_SECURE + secure=settings.CSRF_COOKIE_SECURE, + httponly=settings.CSRF_COOKIE_HTTPONLY ) # Content varies with the CSRF cookie, so set the Vary header. patch_vary_headers(response, ('Cookie',)) Index: docs/ref/contrib/csrf.txt =================================================================== --- docs/ref/contrib/csrf.txt.orig +++ docs/ref/contrib/csrf.txt @@ -543,6 +543,17 @@ Whether to use a secure cookie for the C the cookie will be marked as "secure," which means browsers may ensure that the cookie is only sent under an HTTPS connection. +CSRF_COOKIE_HTTPONLY +------------------ + +.. versionadded:: 1.5 + +Default: ``False`` + +Whether to use HttpOnly flag on the CSRF cookie. If this is set to +``True``, client-side JavaScript will not to be able to access the +session cookie. + CSRF_FAILURE_VIEW ----------------- Index: docs/ref/settings.txt =================================================================== --- docs/ref/settings.txt.orig +++ docs/ref/settings.txt @@ -362,6 +362,19 @@ Whether to use a secure cookie for the C the cookie will be marked as "secure," which means browsers may ensure that the cookie is only sent under an HTTPS connection. +.. setting:: CSRF_COOKIE_HTTPONLY + +CSRF_COOKIE_HTTPONLY +------------------ + +.. versionadded:: 1.5 + +Default: ``False`` + +Whether to use HttpOnly flag on the CSRF cookie. If this is set to +``True``, client-side JavaScript will not to be able to access the +session cookie. See :setting:`SESSION_COOKIE_HTTPONLY`. + .. setting:: CSRF_FAILURE_VIEW CSRF_FAILURE_VIEW Index: tests/regressiontests/csrf_tests/tests.py =================================================================== --- tests/regressiontests/csrf_tests/tests.py.orig +++ tests/regressiontests/csrf_tests/tests.py @@ -101,7 +101,8 @@ class CsrfViewMiddlewareTest(TestCase): with self.settings(CSRF_COOKIE_NAME='myname', CSRF_COOKIE_DOMAIN='.example.com', CSRF_COOKIE_PATH='/test/', - CSRF_COOKIE_SECURE=True): + CSRF_COOKIE_SECURE=True, + CSRF_COOKIE_HTTPONLY=True): # token_view calls get_token() indirectly CsrfViewMiddleware().process_view(req, token_view, (), {}) resp = token_view(req) @@ -110,6 +111,7 @@ class CsrfViewMiddlewareTest(TestCase): self.assertNotEqual(csrf_cookie, False) self.assertEqual(csrf_cookie['domain'], '.example.com') self.assertEqual(csrf_cookie['secure'], True) + self.assertEqual(csrf_cookie['httponly'], True) self.assertEqual(csrf_cookie['path'], '/test/') self.assertTrue('Cookie' in resp2.get('Vary',''))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor