Hi, I'm using Django 1.4.1b, and for security purposes would like to make the csrftoken cookie httponly, and therefore inaccessible from Javascript. Since this support is not available in my version of Django, I planned to follow this implementation approach: http://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly.
But I also build AJAX requests, where I use the suggested approach outlined in the Django docs (https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#ajax), which involves getting the cookie and setting the x-csrftoken header in Javascript. It looks to me like these two goals are fundamentally incompatible. Am I wrong? Is there some way to have both httponly csrf cookies and AJAX? Many thanks! Spork -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9f422b3c-e822-4e1d-9e2b-19d2e680b0aa%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
