search

tjcsl / ion

TJ Intranet 3
https://ion.tjhsst.edu
GNU General Public License v2.0
100 stars 89 forks source link

Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token. #375

Closed pefoley2 closed 5 years ago

pefoley2 commented 8 years ago

We need to audit ajax requests to prevent this change from breaking them. https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-CSRF_COOKIE_HTTPONLY

pefoley2 commented 8 years ago

Appears that https://github.com/tjcsl/ion/blob/master/intranet/static/js/common.js#L8 is the only place that needs updating.

ezwang commented 8 years ago

https://github.com/tjcsl/ion/blob/master/intranet/static/js/files.js#L24 will also need updating

ovkulkarni commented 7 years ago

is this still an issue?

theo-o commented 5 years ago

This does not appear to be an issue