Django 1.6 introduces a new setting to make the crsf cookie (which is separate from the session cookie) httpreadonly. https://docs.djangoproject.com/en/1.6/ref/settings/#csrf-cookie-httponly
Our docs say to use it https://github.com/openstack/horizon/blob/a0f7235278cfe187b2ff31bfb787548735111c8b/doc/source/topics/deployment.rst#secure-site-recommendations so I assume it has been tested and works (offhand, I wasn't sure if our javascript was ever used to extract and send that value in a form), on the other hand our documentation suggests this has been available since 1.4, which is wrong. So that's not exactly confidence inspiring.
@Zhang Yun, can you verify that setting CSRF_COOKIE_HTTPONLY = True in you local_settings file addresses your concern?
Django 1.6 introduces a new setting to make the crsf cookie (which is separate from the session cookie) httpreadonly. /docs.djangopro ject.com/ en/1.6/ ref/settings/ #csrf-cookie- httponly
https:/
Our docs say to use it /github. com/openstack/ horizon/ blob/a0f7235278 cfe187b2ff31bfb 787548735111c8b /doc/source/ topics/ deployment. rst#secure- site-recommenda tions
https:/
so I assume it has been tested and works (offhand, I wasn't sure if our javascript was ever used to extract and send that value in a form), on the other hand our documentation suggests this has been available since 1.4, which is wrong. So that's not exactly confidence inspiring.
@Zhang Yun, can you verify that setting HTTPONLY = True in you local_settings file addresses your concern?
CSRF_COOKIE_