Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional setting per deprecation timeline.

django/conf/__init__.py

@@ -16,19 +16,13 @@ from pathlib import Path
 import django
 from django.conf import global_settings
 from django.core.exceptions import ImproperlyConfigured
-from django.utils.deprecation import RemovedInDjango50Warning, RemovedInDjango51Warning
+from django.utils.deprecation import RemovedInDjango51Warning
 from django.utils.functional import LazyObject, empty
 
 ENVIRONMENT_VARIABLE = "DJANGO_SETTINGS_MODULE"
 DEFAULT_STORAGE_ALIAS = "default"
 STATICFILES_STORAGE_ALIAS = "staticfiles"
 
-# RemovedInDjango50Warning
-CSRF_COOKIE_MASKED_DEPRECATED_MSG = (
-    "The CSRF_COOKIE_MASKED transitional setting is deprecated. Support for "
-    "it will be removed in Django 5.0."
-)
-
 DEFAULT_FILE_STORAGE_DEPRECATED_MSG = (
     "The DEFAULT_FILE_STORAGE setting is deprecated. Use STORAGES instead."
 )
@@ -211,9 +205,6 @@ class Settings:
                 setattr(self, setting, setting_value)
                 self._explicit_settings.add(setting)
 
-        if self.is_overridden("CSRF_COOKIE_MASKED"):
-            warnings.warn(CSRF_COOKIE_MASKED_DEPRECATED_MSG, RemovedInDjango50Warning)
-
         if hasattr(time, "tzset") and self.TIME_ZONE:
             # When we can, attempt to validate the timezone. If we can't find
             # this file, no check happens and it's harmless.
@@ -272,8 +263,6 @@ class UserSettingsHolder:
 
     def __setattr__(self, name, value):
         self._deleted.discard(name)
-        if name == "CSRF_COOKIE_MASKED":
-            warnings.warn(CSRF_COOKIE_MASKED_DEPRECATED_MSG, RemovedInDjango50Warning)
         if name == "DEFAULT_FILE_STORAGE":
             self.STORAGES[DEFAULT_STORAGE_ALIAS] = {
                 "BACKEND": self.DEFAULT_FILE_STORAGE

django/conf/global_settings.py

@@ -568,10 +568,6 @@ CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
 CSRF_TRUSTED_ORIGINS = []
 CSRF_USE_SESSIONS = False
 
-# Whether to mask CSRF cookie value. It's a transitional setting helpful in
-# migrating multiple instance of the same project to Django 4.1+.
-CSRF_COOKIE_MASKED = False
-
 ############
 # MESSAGES #
 ############

django/middleware/csrf.py

@@ -85,13 +85,7 @@ def _add_new_csrf_cookie(request):
     csrf_secret = _get_new_csrf_string()
     request.META.update(
         {
-            # RemovedInDjango50Warning: when the deprecation ends, replace
-            # with: 'CSRF_COOKIE': csrf_secret
-            "CSRF_COOKIE": (
-                _mask_cipher_secret(csrf_secret)
-                if settings.CSRF_COOKIE_MASKED
-                else csrf_secret
-            ),
+            "CSRF_COOKIE": csrf_secret,
             "CSRF_COOKIE_NEEDS_UPDATE": True,
         }
     )

docs/ref/settings.txt

@@ -343,20 +343,6 @@ form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie
 
 See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.
 
-.. setting:: CSRF_COOKIE_MASKED
-
-``CSRF_COOKIE_MASKED``
-----------------------
-
-Default: ``False``
-
-Whether to mask the CSRF cookie. See
-:ref:`release notes <csrf-cookie-masked-usage>` for usage details.
-
-.. deprecated:: 4.1
-
-    This transitional setting is deprecated and will be removed in Django 5.0.
-
 .. setting:: CSRF_COOKIE_NAME
 
 ``CSRF_COOKIE_NAME``

docs/releases/4.1.txt

@@ -98,16 +98,15 @@ See :ref:`the Forms section (below)<forms-4.1>` for full details.
 ``CSRF_COOKIE_MASKED`` setting
 ------------------------------
 
-The new :setting:`CSRF_COOKIE_MASKED` transitional setting allows specifying
-whether to mask the CSRF cookie.
+The new ``CSRF_COOKIE_MASKED`` transitional setting allows specifying whether
+to mask the CSRF cookie.
 
 :class:`~django.middleware.csrf.CsrfViewMiddleware` no longer masks the CSRF
 cookie like it does the CSRF token in the DOM. If you are upgrading multiple
 instances of the same project to Django 4.1, you should set
-:setting:`CSRF_COOKIE_MASKED` to ``True`` during the transition, in
-order to allow compatibility with the older versions of Django. Once the
-transition to 4.1 is complete you can stop overriding
-:setting:`CSRF_COOKIE_MASKED`.
+``CSRF_COOKIE_MASKED`` to ``True`` during the transition, in order to allow
+compatibility with the older versions of Django. Once the transition to 4.1 is
+complete you can stop overriding ``CSRF_COOKIE_MASKED``.
 
 This setting is deprecated as of this release and will be removed in Django
 5.0.

docs/releases/5.0.txt

@@ -306,3 +306,5 @@ See :ref:`deprecated-features-4.1` for details on these changes, including how
 to remove usage of these features.
 
 * The ``SitemapIndexItem.__str__()`` method is removed.
+
+* The ``CSRF_COOKIE_MASKED`` transitional setting is removed.

tests/csrf_tests/tests.py

@@ -23,8 +23,6 @@ from django.middleware.csrf import (
     rotate_token,
 )
 from django.test import SimpleTestCase, override_settings
-from django.test.utils import ignore_warnings
-from django.utils.deprecation import RemovedInDjango50Warning
 from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
 
 from .views import (
@@ -1494,31 +1492,3 @@ class CsrfInErrorHandlingViewsTests(CsrfFunctionTestMixin, SimpleTestCase):
         token2 = response.content.decode("ascii")
         secret2 = _unmask_cipher_token(token2)
         self.assertMaskedSecretCorrect(token1, secret2)
-
-
-@ignore_warnings(category=RemovedInDjango50Warning)
-class CsrfCookieMaskedTests(CsrfFunctionTestMixin, SimpleTestCase):
-    @override_settings(CSRF_COOKIE_MASKED=True)
-    def test_get_token_csrf_cookie_not_set(self):
-        request = HttpRequest()
-        self.assertNotIn("CSRF_COOKIE", request.META)
-        self.assertNotIn("CSRF_COOKIE_NEEDS_UPDATE", request.META)
-        token = get_token(request)
-        cookie = request.META["CSRF_COOKIE"]
-        self.assertEqual(len(cookie), CSRF_TOKEN_LENGTH)
-        unmasked_cookie = _unmask_cipher_token(cookie)
-        self.assertMaskedSecretCorrect(token, unmasked_cookie)
-        self.assertIs(request.META["CSRF_COOKIE_NEEDS_UPDATE"], True)
-
-    @override_settings(CSRF_COOKIE_MASKED=True)
-    def test_rotate_token(self):
-        request = HttpRequest()
-        request.META["CSRF_COOKIE"] = MASKED_TEST_SECRET1
-        self.assertNotIn("CSRF_COOKIE_NEEDS_UPDATE", request.META)
-        rotate_token(request)
-        # The underlying secret was changed.
-        cookie = request.META["CSRF_COOKIE"]
-        self.assertEqual(len(cookie), CSRF_TOKEN_LENGTH)
-        unmasked_cookie = _unmask_cipher_token(cookie)
-        self.assertNotEqual(unmasked_cookie, TEST_SECRET)
-        self.assertIs(request.META["CSRF_COOKIE_NEEDS_UPDATE"], True)

tests/deprecation/test_csrf_cookie_masked.py

@@ -1,30 +0,0 @@
-import sys
-from types import ModuleType
-
-from django.conf import CSRF_COOKIE_MASKED_DEPRECATED_MSG, Settings, settings
-from django.test import SimpleTestCase
-from django.utils.deprecation import RemovedInDjango50Warning
-
-
-class CsrfCookieMaskedDeprecationTests(SimpleTestCase):
-    msg = CSRF_COOKIE_MASKED_DEPRECATED_MSG
-
-    def test_override_settings_warning(self):
-        with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
-            with self.settings(CSRF_COOKIE_MASKED=True):
-                pass
-
-    def test_settings_init_warning(self):
-        settings_module = ModuleType("fake_settings_module")
-        settings_module.USE_TZ = False
-        settings_module.CSRF_COOKIE_MASKED = True
-        sys.modules["fake_settings_module"] = settings_module
-        try:
-            with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
-                Settings("fake_settings_module")
-        finally:
-            del sys.modules["fake_settings_module"]
-
-    def test_access(self):
-        # Warning is not raised on access.
-        self.assertEqual(settings.CSRF_COOKIE_MASKED, False)