Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional setting per deprecation timeline.

2025-10-31 09:41:08 +00:00 · 2023-01-12 12:47:42 +01:00
parent daf88e778b
commit e01970e9d2
8 changed files with 9 additions and 103 deletions
--- a/django/conf/init.py
+++ b/django/conf/init.py
@@ -16,19 +16,13 @@ from pathlib import Path
 import django
 from django.conf import global_settings
 from django.core.exceptions import ImproperlyConfigured
-from django.utils.deprecation import RemovedInDjango50Warning, RemovedInDjango51Warning
+from django.utils.deprecation import RemovedInDjango51Warning
 from django.utils.functional import LazyObject, empty

 ENVIRONMENT_VARIABLE = "DJANGO_SETTINGS_MODULE"
 DEFAULT_STORAGE_ALIAS = "default"
 STATICFILES_STORAGE_ALIAS = "staticfiles"

-# RemovedInDjango50Warning
-CSRF_COOKIE_MASKED_DEPRECATED_MSG = (
-    "The CSRF_COOKIE_MASKED transitional setting is deprecated. Support for "
-    "it will be removed in Django 5.0."
-)
-
 DEFAULT_FILE_STORAGE_DEPRECATED_MSG = (
    "The DEFAULT_FILE_STORAGE setting is deprecated. Use STORAGES instead."
 )
@@ -211,9 +205,6 @@ class Settings:
                setattr(self, setting, setting_value)
                self._explicit_settings.add(setting)

-        if self.is_overridden("CSRF_COOKIE_MASKED"):
-            warnings.warn(CSRF_COOKIE_MASKED_DEPRECATED_MSG, RemovedInDjango50Warning)
-
        if hasattr(time, "tzset") and self.TIME_ZONE:
            # When we can, attempt to validate the timezone. If we can't find
            # this file, no check happens and it's harmless.
@@ -272,8 +263,6 @@ class UserSettingsHolder:

    def __setattr__(self, name, value):
        self._deleted.discard(name)
-        if name == "CSRF_COOKIE_MASKED":
-            warnings.warn(CSRF_COOKIE_MASKED_DEPRECATED_MSG, RemovedInDjango50Warning)
        if name == "DEFAULT_FILE_STORAGE":
            self.STORAGES[DEFAULT_STORAGE_ALIAS] = {
                "BACKEND": self.DEFAULT_FILE_STORAGE
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -568,10 +568,6 @@ CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
 CSRF_TRUSTED_ORIGINS = []
 CSRF_USE_SESSIONS = False

-# Whether to mask CSRF cookie value. It's a transitional setting helpful in
-# migrating multiple instance of the same project to Django 4.1+.
-CSRF_COOKIE_MASKED = False
-
 ############
 # MESSAGES #
 ############
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -85,13 +85,7 @@ def _add_new_csrf_cookie(request):
    csrf_secret = _get_new_csrf_string()
    request.META.update(
        {
-            # RemovedInDjango50Warning: when the deprecation ends, replace
-            # with: 'CSRF_COOKIE': csrf_secret
-            "CSRF_COOKIE": (
-                _mask_cipher_secret(csrf_secret)
-                if settings.CSRF_COOKIE_MASKED
-                else csrf_secret
-            ),
+            "CSRF_COOKIE": csrf_secret,
            "CSRF_COOKIE_NEEDS_UPDATE": True,
        }
    )