Skip to content

CSRF protection#798

Merged
simonw merged 6 commits intomasterfrom
csrf
Jun 5, 2020
Merged

CSRF protection#798
simonw merged 6 commits intomasterfrom
csrf

Conversation

@simonw
Copy link
Owner

@simonw simonw commented Jun 5, 2020

Refs #793

@simonw
Copy link
Owner Author

simonw commented Jun 5, 2020

Needs unit tests.

More importantly: needs very, very careful consideration of how this plays with HTTP caching.

@simonw
Copy link
Owner Author

simonw commented Jun 5, 2020
edited
Loading

I don't want to set a cookie on a page response that is being cached.

Right now the ASGI middleware will be doing exactly that, which is bad.

But how do I get certainty that when you load a page with a form that will be CSRF protected you have been served the cookie?

Maybe those pages should do something explicit to the request object indicating that the cookie is needed?

That works for Datasette (since it has mutable request objects) but I'm not sure how it would work in the asgi-csrf pure ASGI middleware context.

@simonw
Copy link
Owner Author

simonw commented Jun 5, 2020
edited
Loading

Django docs on CSRF and caching: https://docs.djangoproject.com/en/3.0/ref/csrf/#caching

If the csrf_token template tag is used by a template (or the get_token function is called some other way), CsrfViewMiddleware will add a cookie and a Vary: Cookie header to the response. This means that the middleware will play well with the cache middleware if it is used as instructed

So the cookie is only set for pages that included a hidden csrftoken form field! This could work.

@simonw simonw mentioned this pull request Jun 5, 2020
Closed
@simonw simonw mentioned this pull request Jun 5, 2020
Closed
@simonw
Copy link
Owner Author

simonw commented Jun 5, 2020

I'm solving the compatibility with caching problem in this ticket: simonw/asgi-csrf#7

@simonw simonw mentioned this pull request Jun 5, 2020
Closed
@simonw
Copy link
Owner Author

simonw commented Jun 5, 2020

Add unit tests illustrating the Vary: Cookie header and I'm done here.

@simonw
Wrapping up work on CSRF
fe43963 
- Use new csrftoken() function, refs simonw/asgi-csrf#7
- Check for Vary: Cookie hedaer, refs simonw/asgi-csrf#8

Refs #793 and #798
@simonw simonw merged commit 84a9c4f into master Jun 5, 2020
@simonw simonw deleted the csrf branch June 5, 2020 19:05
@simonw simonw modified the milestones: Datasette 1.0, Datasette 0.44 Jun 5, 2020
This was referenced Jun 9, 2020
Closed
Closed
simonw added a commit that referenced this pull request Jun 12, 2020
@simonw
Release Datasette 0.44
b906030 
Refs #395, #519, #576, #699, #706, #774, #777, #781, #784, #788, #790, #797,
#798, #800, #802, #804, #819, #822, #825, #826, #827, #828, #829, #830,
#833, #836, #837, #839

Closes #806.
@simonw simonw mentioned this pull request Jun 18, 2020
Closed
@simonw simonw mentioned this pull request Aug 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Datasette 0.44

Development

Successfully merging this pull request may close these issues.

1 participant

@simonw