Closed Bug 698427 Opened 13 years ago Closed 4 years ago

use django-session-csrf

Categories

(developer.mozilla.org Graveyard :: Wiki pages, defect)

Product:
developer.mozilla.org Graveyard
Component:
Wiki pages
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: groovecoder, Unassigned)

References

Details

See bug 649520
Whiteboard: u=user c=security p= → u=user c=security p=2
Assignee: nobody → jbennett
Target Milestone: 1.6 → 1.7
Target Milestone: 1.7 → ---
There's a conflict here, in that some of our existing code relies on django.utils.thread_support, which doesn't exist *after* Django 1.2, but django-session-csrf requires django.utils.crypto which doesn't exist *before* Django 1.3. So there's currently no way for us to integrate this.

What we probably want is a bug for migrating to Django 1.3+, and have that be a blocker for this one; once that part's sorted out, switching to the session CSRF middleware is easy (and see the branch named for this bug in my repo for the code).
Depends on: 703053
Blocks: 718522
Target Milestone: --- → 2.3
Target Milestone: 2.3 → ---
Depends on: 731209
Version: MDN → unspecified
Component: Website → Landing pages
Blocks: 789016
Whiteboard: u=user c=security p=2 → u=user c=security specifications
Priority: -- → P1
Whiteboard: u=user c=security specifications → [specification-like][type:feature]
Assignee: jbennett → nobody
Whiteboard: [specification-like][type:feature] → [type:feature]
Priority: P1 → P2
Assignee: nobody → jbennett
One hangup of django-session-csrf is that it requires some effort to CSRF-protect anything that a non-logged-in user would do. So far as I can tell, in kuma that only happens in two places: user signup, and user login. Which means we have a couple options:

1. We could just turn off CSRF protection for those views. I don't know what the security implications of that would be.

2. We can CSRF-protect them, but doing so requires us to make sure we are (and I'm pretty sure we are) set up to handle that with respect to the cache requirements for it.
No longer depends on: 731209
We should CSRF protect sign-in - we use it to change the email address for accounts.
Blocks: 900191
Severity: normal → enhancement
Priority: P2 → --
Bug 789016 blocks several contributors from MDN. Requiring a referer is a HTTP specification violation (see mentioned bug for references). Thus, this is a serious bug, not just a "nice to have" feature.
Severity: enhancement → normal
Whiteboard: [type:feature]
(In reply to Ben Bucksch (:BenB) from comment #4)
> Bug 789016 blocks several contributors from MDN. Requiring a referer is a
> HTTP specification violation (see mentioned bug for references). Thus, this
> is a serious bug, not just a "nice to have" feature.

+1

Is upgrading to django-session-csrf on the roadmap?
Assignee: jbennett → nobody
Is there any way to increase the priority of this bug?  We shouldn't require users to turn referrers on and decrease their privacy in order to contribute to MDN.  Browsers don't have a per origin referrer value override, so re-enabling referrers on MDN means re-enabling referrers everywhere.
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.