HTTPONLY setting #88

kiwipedro · 2023-03-21T06:35:18Z

In version django-cookie-consent==0.3.2.dev1 the cookie defaults to HTTPONLY = True, which means you can't manipulate the cookie via javascript.

Would be good to be able to override from settings.py with, for example,
COOKIE_CONSENT_HTTPONLY = False

Needless to say I tried this and it didn't work

some1ataplace · 2023-03-22T16:43:17Z

@kiwipedro Please share with us your javascript or anything else that we might find useful like a traceback or settings.py.

I was able to test django-cookie-consent==0.3.2.dev1 and in the testapp conf.py file https://github.com/jazzband/django-cookie-consent/blob/master/cookie_consent/conf.py I was able to change the value of HTTPONLY False in this file with the testapp and it worked.

You should be able to use COOKIE_CONSENT_HTTPONLY = False in your project settings.py though which overrides the conf.py file when installing django-cookie-consent into your main project.

If it still doesn't work, try an older version of django-cookie-consent and report back:

https://github.com/jazzband/django-cookie-consent/tags

Manipulating the HTTPONLY attribute of a cookie via JavaScript is not allowed due to security reasons. The HTTPONLY attribute is intended to prevent client-side scripts from accessing the cookie, thereby reducing the risk of cross-site scripting (XSS) attacks.

Instead, the HTTPONLY attribute can only be set at the server-side when sending the cookie to the client in the HTTP response header. Therefore, to set or unset the HTTPONLY attribute of a cookie, you will need to manipulate the cookie at the server-side.

kiwipedro · 2023-03-23T22:39:37Z

Thanks for the reply. I worked around it by installing it as an app, rather than package. I do realise you can set HTTPONLY server-side, but once it's set and deliver to the browser you can't view it/change it via "document.cookie" property in JS, if HTTPONLY is set to True.

My point was more along that if you release this as a new version, anyone who installs this as a package (not an app) will not be able to set HTTPONLY to False, and it may break websites (like mine) that need access to the cookie from JS.

An override, available in the settings.py of the WGSI project, would be ideal.

sergei-maertens · 2023-05-06T13:19:42Z

Looking at the docs: https://django-cookie-consent.readthedocs.io/en/latest/settings.html#settings, you should be able to configure this with the COOKIE_CONSENT_HTTPONLY setting.

The version on PyPI may not support this setting yet - currently I am unable to publish new versions of this package due to JazzBand restrictions that are not being resolved, see #64 (comment)

MrCordeiro · 2023-06-11T10:44:51Z

@sergei-maertens that issue was marked as closed. Are you now able to publish the new version?

sergei-maertens · 2023-06-11T11:15:57Z

Yes, 0.4.0dev1 is on PyPI as pre-release. There's one more open issue blocking the full 0.4.0 release!

sergei-maertens · 2023-06-11T15:14:33Z

django-cookie-consent 0.4.0 is now on PyPI, where this setting is available.

kiwipedro · 2023-06-12T06:54:41Z

Thanks for fixing!

sergei-maertens closed this as completed Jun 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

HTTPONLY setting #88

HTTPONLY setting #88

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

HTTPONLY setting #88

HTTPONLY setting #88

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!