setting csrftoken to httponly and building ajax forms: not going to happen?

Hi,

I'm using Django 1.4.1b, and for security purposes would like to make the csrftoken cookie httponly, and therefore inaccessible from Javascript. Since this support is not available in my version of Django, I planned to follow this implementation approach: http://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly.

But I also build AJAX requests, where I use the suggested approach outlined in the Django docs (https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#ajax), which involves getting the cookie and setting the x-csrftoken header in Javascript.

It looks to me like these two goals are fundamentally incompatible. Am I wrong? Is there some way to have both httponly csrf cookies and AJAX?

Many thanks!

Spork

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9f422b3c-e822-4e1d-9e2b-19d2e680b0aa%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.