-
-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF protection #798
CSRF protection #798
Conversation
Needs unit tests. More importantly: needs very, very careful consideration of how this plays with HTTP caching. |
I don't want to set a cookie on a page response that is being cached. Right now the ASGI middleware will be doing exactly that, which is bad. But how do I get certainty that when you load a page with a form that will be CSRF protected you have been served the cookie? Maybe those pages should do something explicit to the request object indicating that the cookie is needed? That works for Datasette (since it has mutable request objects) but I'm not sure how it would work in the asgi-csrf pure ASGI middleware context. |
Django docs on CSRF and caching: https://docs.djangoproject.com/en/3.0/ref/csrf/#caching
So the cookie is only set for pages that included a hidden csrftoken form field! This could work. |
I'm solving the compatibility with caching problem in this ticket: simonw/asgi-csrf#7 |
Add unit tests illustrating the |
- Use new csrftoken() function, refs simonw/asgi-csrf#7 - Check for Vary: Cookie hedaer, refs simonw/asgi-csrf#8 Refs #793 and #798
Refs #793