Comment 2 for bug 1369876

Django 1.6 introduces a new setting to make the crsf cookie (which is separate from the session cookie) httpreadonly.
https://docs.djangoproject.com/en/1.6/ref/settings/#csrf-cookie-httponly

Our docs say to use it
https://github.com/openstack/horizon/blob/a0f7235278cfe187b2ff31bfb787548735111c8b/doc/source/topics/deployment.rst#secure-site-recommendations
so I assume it has been tested and works (offhand, I wasn't sure if our javascript was ever used to extract and send that value in a form), on the other hand our documentation suggests this has been available since 1.4, which is wrong. So that's not exactly confidence inspiring.

@Zhang Yun, can you verify that setting
CSRF_COOKIE_HTTPONLY = True in you local_settings file addresses your concern?