File Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch of Package python-django

Overview Repositories Revisions Requests Users Attributes Meta

File Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch of Package python-django

Index: django/conf/global_settings.py
===================================================================
--- django/conf/global_settings.py.orig
+++ django/conf/global_settings.py
@@ -535,6 +535,7 @@ CSRF_COOKIE_NAME = 'csrftoken'
 CSRF_COOKIE_DOMAIN = None
 CSRF_COOKIE_PATH = '/'
 CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_HTTPONLY = False
 
 ############
 # MESSAGES #
Index: django/middleware/csrf.py
===================================================================
--- django/middleware/csrf.py.orig
+++ django/middleware/csrf.py
@@ -208,7 +208,8 @@ class CsrfViewMiddleware(object):
                             max_age = 60 * 60 * 24 * 7 * 52,
                             domain=settings.CSRF_COOKIE_DOMAIN,
                             path=settings.CSRF_COOKIE_PATH,
-                            secure=settings.CSRF_COOKIE_SECURE
+                            secure=settings.CSRF_COOKIE_SECURE,
+                            httponly=settings.CSRF_COOKIE_HTTPONLY
                             )
         # Content varies with the CSRF cookie, so set the Vary header.
         patch_vary_headers(response, ('Cookie',))
Index: docs/ref/contrib/csrf.txt
===================================================================
--- docs/ref/contrib/csrf.txt.orig
+++ docs/ref/contrib/csrf.txt
@@ -543,6 +543,17 @@ Whether to use a secure cookie for the C
 the cookie will be marked as "secure," which means browsers may ensure that the
 cookie is only sent under an HTTPS connection.
 
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie.
+
 CSRF_FAILURE_VIEW
 -----------------
 
Index: docs/ref/settings.txt
===================================================================
--- docs/ref/settings.txt.orig
+++ docs/ref/settings.txt
@@ -362,6 +362,19 @@ Whether to use a secure cookie for the C
 the cookie will be marked as "secure," which means browsers may ensure that the
 cookie is only sent under an HTTPS connection.
 
+.. setting:: CSRF_COOKIE_HTTPONLY
+
+CSRF_COOKIE_HTTPONLY
+------------------
+
+.. versionadded:: 1.5
+
+Default: ``False``
+
+Whether to use HttpOnly flag on the CSRF cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie. See :setting:`SESSION_COOKIE_HTTPONLY`.
+
 .. setting:: CSRF_FAILURE_VIEW
 
 CSRF_FAILURE_VIEW
Index: tests/regressiontests/csrf_tests/tests.py
===================================================================
--- tests/regressiontests/csrf_tests/tests.py.orig
+++ tests/regressiontests/csrf_tests/tests.py
@@ -101,7 +101,8 @@ class CsrfViewMiddlewareTest(TestCase):
         with self.settings(CSRF_COOKIE_NAME='myname',
                            CSRF_COOKIE_DOMAIN='.example.com',
                            CSRF_COOKIE_PATH='/test/',
-                           CSRF_COOKIE_SECURE=True):
+                           CSRF_COOKIE_SECURE=True,
+                           CSRF_COOKIE_HTTPONLY=True):
             # token_view calls get_token() indirectly
             CsrfViewMiddleware().process_view(req, token_view, (), {})
             resp = token_view(req)
@@ -110,6 +111,7 @@ class CsrfViewMiddlewareTest(TestCase):
         self.assertNotEqual(csrf_cookie, False)
         self.assertEqual(csrf_cookie['domain'], '.example.com')
         self.assertEqual(csrf_cookie['secure'], True)
+        self.assertEqual(csrf_cookie['httponly'], True)
         self.assertEqual(csrf_cookie['path'], '/test/')
         self.assertTrue('Cookie' in resp2.get('Vary',''))

Places

File Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch of Package python-django

Places