Deprecation/Removal: Csrf CrossDomainCookieMiddleware (DEPR-165)

Hi there,

We plan to deprecate and remove CsrfCrossDomainCookieMiddleware.

Please read for more information and to post any questions/comments. The proposed deadline for comments before acceptance is 09-15-2021.

Once the ticket is accepted, removal can happen at any time.

Thanks, jinder

Hi @jinder_Singh , thanks for the announcement!

But we use cross-domain CSRF for SAML authentication to Okta, and we have another client that uses it for logging in from their custom frontend (albeit on an old version of Open edX, and there may be better APIs for this now CC @itsjeyd ).

Instead of removing this middleware entirely, could it be moved to a plugin so that users who need it can still use it?

@jill Thanks for the info. I will discuss with team more about this and get back to this. There is high likely hood we will not be removing the middleware.

FYI, we have decided not to go forward with this deprecation. This seems to be actively used in community and until we have a better story around plugin for middleware, it better to leave it as is.

1 Like