From f20f89590366c7f96e3c3549e1ddbbcf4132064b Mon Sep 17 00:00:00 2001
From: Edward Zarecor <ed@edx.org>
Date: Tue, 29 Mar 2016 17:04:15 -0400
Subject: [PATCH 1/3] Updating cookies settings

---
 lms/envs/aws.py    | 6 ++++++
 lms/envs/common.py | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lms/envs/aws.py b/lms/envs/aws.py
index 22e178740e..54d4339072 100644
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -349,6 +349,12 @@ FOOTER_BROWSER_CACHE_MAX_AGE = ENV_TOKENS.get('FOOTER_BROWSER_CACHE_MAX_AGE', FO
 NOTIFICATION_EMAIL_CSS = ENV_TOKENS.get('NOTIFICATION_EMAIL_CSS', NOTIFICATION_EMAIL_CSS)
 NOTIFICATION_EMAIL_EDX_LOGO = ENV_TOKENS.get('NOTIFICATION_EMAIL_EDX_LOGO', NOTIFICATION_EMAIL_EDX_LOGO)
 
+# Determines whether the CSRF toke can be transported on
+# unencrypted channels. It is set to False here for backward compatibility,
+# but it is highly recommended that this is True for enviroments accessed
+# by end users.
+CSRF_COOKIE_SECURE = ENV_TOKENS.get('CSRF_COOKIE_SECURE', False)
+
 ############# CORS headers for cross-domain requests #################
 
 if FEATURES.get('ENABLE_CORS_HEADERS') or FEATURES.get('ENABLE_CROSS_DOMAIN_CSRF_COOKIE'):
diff --git a/lms/envs/common.py b/lms/envs/common.py
index e5dd407e2d..061c950d3e 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -2022,7 +2022,9 @@ MIGRATION_MODULES = {
 
 # Forwards-compatibility with Django 1.7
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
-
+# It is highly recommended that you override this any enviroment accessed by
+# end users
+CSRF_COOKIE_SECURE = False
 
 ######################### Django Rest Framework ########################
 

From ae202dd54a330890f74a841a4048d1c31a9b9033 Mon Sep 17 00:00:00 2001
From: e0d <ed@edx.org>
Date: Fri, 8 Apr 2016 06:08:41 -0400
Subject: [PATCH 2/3] fix CR nits

---
 lms/envs/aws.py    | 2 +-
 lms/envs/common.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lms/envs/aws.py b/lms/envs/aws.py
index 54d4339072..d52c41294b 100644
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -349,7 +349,7 @@ FOOTER_BROWSER_CACHE_MAX_AGE = ENV_TOKENS.get('FOOTER_BROWSER_CACHE_MAX_AGE', FO
 NOTIFICATION_EMAIL_CSS = ENV_TOKENS.get('NOTIFICATION_EMAIL_CSS', NOTIFICATION_EMAIL_CSS)
 NOTIFICATION_EMAIL_EDX_LOGO = ENV_TOKENS.get('NOTIFICATION_EMAIL_EDX_LOGO', NOTIFICATION_EMAIL_EDX_LOGO)
 
-# Determines whether the CSRF toke can be transported on
+# Determines whether the CSRF token can be transported on
 # unencrypted channels. It is set to False here for backward compatibility,
 # but it is highly recommended that this is True for enviroments accessed
 # by end users.
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 061c950d3e..f3757d29b3 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -2022,7 +2022,7 @@ MIGRATION_MODULES = {
 
 # Forwards-compatibility with Django 1.7
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
-# It is highly recommended that you override this any enviroment accessed by
+# It is highly recommended that you override this in any environment accessed by
 # end users
 CSRF_COOKIE_SECURE = False
 

From 2be2b52f632650360f5a930299fe27c1bcc71a4b Mon Sep 17 00:00:00 2001
From: e0d <ed@edx.org>
Date: Fri, 8 Apr 2016 06:09:03 -0400
Subject: [PATCH 3/3] apply the setting to the CMS too

---
 cms/envs/aws.py    | 6 ++++++
 cms/envs/common.py | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/cms/envs/aws.py b/cms/envs/aws.py
index 0068221147..3bd110ff10 100644
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -168,6 +168,12 @@ if ENV_TOKENS.get('SESSION_COOKIE_NAME', None):
 EDXMKTG_LOGGED_IN_COOKIE_NAME = ENV_TOKENS.get('EDXMKTG_LOGGED_IN_COOKIE_NAME', EDXMKTG_LOGGED_IN_COOKIE_NAME)
 EDXMKTG_USER_INFO_COOKIE_NAME = ENV_TOKENS.get('EDXMKTG_USER_INFO_COOKIE_NAME', EDXMKTG_USER_INFO_COOKIE_NAME)
 
+# Determines whether the CSRF token can be transported on
+# unencrypted channels. It is set to False here for backward compatibility,
+# but it is highly recommended that this is True for environments accessed
+# by end users.
+CSRF_COOKIE_SECURE = ENV_TOKENS.get('CSRF_COOKIE_SECURE', False)
+
 #Email overrides
 DEFAULT_FROM_EMAIL = ENV_TOKENS.get('DEFAULT_FROM_EMAIL', DEFAULT_FROM_EMAIL)
 DEFAULT_FEEDBACK_EMAIL = ENV_TOKENS.get('DEFAULT_FEEDBACK_EMAIL', DEFAULT_FEEDBACK_EMAIL)
diff --git a/cms/envs/common.py b/cms/envs/common.py
index d145920406..7bb4d9663f 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -298,7 +298,9 @@ from lms.envs.common import (
 
 # Forwards-compatibility with Django 1.7
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
-
+# It is highly recommended that you override this in any environment accessed by
+# end users
+CSRF_COOKIE_SECURE = False
 
 #################### CAPA External Code Evaluation #############################
 XQUEUE_INTERFACE = {