Please document how to use this secure scaffold with single page applications, e.g. Angular and React SPAs. These would typically serve the static HTML directly from AppEngine (not through Python templating), which makes it impossible to inject the CSRF token. To make things more complicated, the CSRF token can also not be read from client-side JavaScript, because the secure scaffold defaults set the cookie to HttpOnly.
As far as I can tell, setting the cookie to HttpOnly does not add to the protection in a major way - e.g. see https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-cookie-httponly.
Please document how to use this secure scaffold with single page applications, e.g. Angular and React SPAs. These would typically serve the static HTML directly from AppEngine (not through Python templating), which makes it impossible to inject the CSRF token. To make things more complicated, the CSRF token can also not be read from client-side JavaScript, because the secure scaffold defaults set the cookie to
HttpOnly.As far as I can tell, setting the cookie to
HttpOnlydoes not add to the protection in a major way - e.g. see https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-cookie-httponly.