{"html_url": "https://github.com/simonw/datasette/pull/798#issuecomment-639712835", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/798", "id": 639712835, "node_id": "MDEyOklzc3VlQ29tbWVudDYzOTcxMjgzNQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-05T18:53:32Z", "updated_at": "2020-06-05T18:53:32Z", "author_association": "OWNER", "body": "Add unit tests illustrating the `Vary: Cookie` header and I'm done here.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 631300342, "label": "CSRF protection"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/798#issuecomment-639685550", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/798", "id": 639685550, "node_id": "MDEyOklzc3VlQ29tbWVudDYzOTY4NTU1MA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-05T18:20:34Z", "updated_at": "2020-06-05T18:20:34Z", "author_association": "OWNER", "body": "I'm solving the compatibility with caching problem in this ticket: https://github.com/simonw/asgi-csrf/issues/7", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 631300342, "label": "CSRF protection"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/798#issuecomment-639269994", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/798", "id": 639269994, "node_id": "MDEyOklzc3VlQ29tbWVudDYzOTI2OTk5NA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-05T05:36:35Z", "updated_at": "2020-06-05T05:38:25Z", "author_association": "OWNER", "body": "Django docs on CSRF and caching: https://docs.djangoproject.com/en/3.0/ref/csrf/#caching\r\n\r\n> If the csrf_token template tag is used by a template (or the get_token function is called some other way), CsrfViewMiddleware will add a cookie and a Vary: Cookie header to the response. This means that the middleware will play well with the cache middleware if it is used as instructed\r\n\r\nSo the cookie is only set for pages that included a hidden csrftoken form field! This could work.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 631300342, "label": "CSRF protection"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/798#issuecomment-639269559", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/798", "id": 639269559, "node_id": "MDEyOklzc3VlQ29tbWVudDYzOTI2OTU1OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-05T05:34:56Z", "updated_at": "2020-06-05T05:35:23Z", "author_association": "OWNER", "body": "I don't want to set a cookie on a page response that is being cached.\r\n\r\nRight now the ASGI middleware will be doing exactly that, which is bad.\r\n\r\nBut how do I get certainty that when you load a page with a form that will be CSRF protected you have been served the cookie?\r\n\r\nMaybe those pages should do something explicit to the request object indicating that the cookie is needed?\r\n\r\nThat works for Datasette (since it has mutable request objects) but I'm not sure how it would work in the asgi-csrf pure ASGI middleware context.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 631300342, "label": "CSRF protection"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/798#issuecomment-639249743", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/798", "id": 639249743, "node_id": "MDEyOklzc3VlQ29tbWVudDYzOTI0OTc0Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-05T04:23:01Z", "updated_at": "2020-06-05T04:23:01Z", "author_association": "OWNER", "body": "Needs unit tests.\r\n\r\nMore importantly: needs very, very careful consideration of how this plays with HTTP caching.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 631300342, "label": "CSRF protection"}, "performed_via_github_app": null}