Closed Bug 1672713 Opened 5 years ago Closed 5 years ago

Remove django-session-csrf dependency

Categories

(Webtools Graveyard :: Pontoon, enhancement, P3)

Product:
Webtools Graveyard
Component:
Pontoon
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mail, Assigned: mail)

Details

Attachments

(1 file)

Link to GitHub pull-request: https://github.com/mozilla/pontoon/pull/1717
44 bytes, text/x-github-pull-request
Details | Review

The package django-session-csrf has not been updated in 4 years. Originally, it was apparently meant to save CSRF tokens in the session instead of cookies. However, I'm not sure this package currently does what it claims. Additionally, this behavior can be natively enabled in Django with CSRF_USE_SESSIONS, or we simply use the default way of storing them as a cookie.

Either way, the package is not required anymore, and getting rid of it would also simplify the BaseConfig.

I can submit a PR for this.

I believe we store the CSRF token in the session for security reasons, so I'd keep the practice, especially if Django allows us to do that natively.

Assignee: nobody → pfischbeck
Status: UNCONFIRMED → ASSIGNED
Type: task → enhancement
Ever confirmed: true
Priority: -- → P3
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: