sections: upgrade_guide:what-you-can-remove
This data as json
| id | page | ref | title | content | breadcrumbs | references |
|---|---|---|---|---|---|---|
| upgrade_guide:what-you-can-remove | upgrade_guide | what-you-can-remove | What you can remove | You can now delete any of the following from your plugins and custom templates: Hidden CSRF form fields: <input type="hidden" name="csrftoken" value="{{ csrftoken() }}"> The csrftoken() template helper (and request.scope["csrftoken"]() for plugins that call it from Python) still exists as a compatibility shim. It now returns a per-request random string rather than a cookie-bound signed value. Datasette no longer validates this token, and no ds_csrftoken cookie is set. Important for plugin authors: if your plugin previously used request.scope["csrftoken"]() or the ds_csrftoken cookie as a security primitive (for example, signing a URL and later comparing it to the cookie), the invariant that the token equals request.cookies["ds_csrftoken"] no longer holds. Replace those flows with signed, short-lived action URLs or explicit non-ambient credentials. Manual CSRF token extraction in tests, e.g.: # No longer needed csrftoken = response.cookies["ds_csrftoken"] cookies["ds_csrftoken"] = csrftoken post_data["csrftoken"] = csrftoken The ds_csrftoken cookie is no longer set at all. The csrftoken_from= argument of the Datasette test client's .post() method is now a no-op and can be removed from your test code. | ["Upgrade guide", "Datasette 1.0a20 plugin upgrade guide", "CSRF protection is now header-based"] | [] |