CSRF cookie fails on HttpOnly #432

mailbackwards · 2016-04-20T18:14:44Z

When CSRF_COOKIE_HTTPONLY is enabled in Django, django-rest-swagger always errors with:

{"detail": "CSRF Failed: CSRF token missing or incorrect."}

I think this is because it's unable to retrieve the CSRF token using $.cookie here. Instead it needs to grab it from the DOM. My current workaround is to add a {% csrf_token %} to the api_selector block and then manually set the cookie:

{% block body %}
  {{ block.super }}
  <script type="text/javascript">
    $.cookie('csrftoken', $("input[name='csrfmiddlewaretoken']").val());
  </script>
{% endblock %}

This feels like an ugly fix and potential security issue (since it's effectively undoing HTTPONLY) for a relatively common use case. My suggestion is a toggleable setting to conditionally include the CSRF token in the template, and conditionally look for that DOM value in shred.bundle.js instead of getting it from $.cookie.

The text was updated successfully, but these errors were encountered:

marcgibbons · 2016-07-15T17:32:08Z

@mailbackwards This has been implemented in v2. Sorry for the late response!

marcgibbons closed this as completed Jul 15, 2016

pyup-bot mentioned this issue Jan 25, 2017

Update django-rest-swagger to 2.1.1 rocket-league-replays/rocket-league-replays#49

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSRF cookie fails on HttpOnly #432

CSRF cookie fails on HttpOnly #432

mailbackwards commented Apr 20, 2016

marcgibbons commented Jul 15, 2016

CSRF cookie fails on HttpOnly #432

CSRF cookie fails on HttpOnly #432

Comments

mailbackwards commented Apr 20, 2016

marcgibbons commented Jul 15, 2016