Rm csrf protection

CHANGELOG.md

@@ -1,3 +1,14 @@
+# 0.19.0 - 2017-10-16
+## Changed
+- 🔒  CSRF protection measures were removed as CSRF style attacks are not relevant
+to Dash apps. Dash's API uses `POST` requests with content type
+`application/json` which are not susceptible to unwanted requests from 3rd
+party sites. See https://github.com/plotly/dash/issues/141 for more.
+- 🔒  Setting `app.server.secret_key` is no longer required since CSRF protection was
+removed. Setting `app.server.secret_key` was difficult to document and
+a very common source of confusion, so it's great that users won't get bitten
+by this anymore :tada:
+
 # 0.18.3 - 2017-09-08
 ## Added
 - `app.config` is now a `dict` instead of a class. You can set config variables with

dash/dash.py

@@ -1,14 +1,12 @@
-import flask
-import json
-import plotly
 from flask import Flask, Response
 from flask_compress import Compress
-from flask_seasurf import SeaSurf
-import os
+import collections
+import flask
 import importlib
+import json
 import pkgutil
-import collections
-import re
+import plotly
+import warnings
 
 import dash_renderer
 
@@ -26,8 +24,17 @@ def __init__(
         server=None,
         static_folder=None,
         url_base_pathname='/',
-        csrf_protect=True
+        **kwargs
     ):
+
+        if 'csrf_protect' in kwargs:
+            warnings.warn('''
+                `csrf_protect` is no longer used,
+                CSRF protection has been removed as it is no longer
+                necessary.
+                See https://github.com/plotly/dash/issues/141 for details.
+                ''', DeprecationWarning)
+
         # allow users to supply their own flask server
         if server is not None:
             self.server = server
@@ -36,19 +43,6 @@ def __init__(
                 name = 'dash'
             self.server = Flask(name, static_folder=static_folder)
 
-        if self.server.secret_key is None:
-            # If user supplied their own server, they might've supplied a
-            # secret_key with it
-            secret_key_name = 'dash_{}_secret_key'.format(
-                # replace any invalid characters
-                re.sub('[\W_]+', '_', name)
-            )
-            secret_key = os.environ.get(
-                secret_key_name, SeaSurf()._generate_token()
-            )
-            os.environ[secret_key_name] = secret_key
-            self.server.secret_key = secret_key
-
         self.url_base_pathname = url_base_pathname
         self.config = _AttributeDict({
             'suppress_callback_exceptions': False,
@@ -62,10 +56,6 @@ def __init__(
         # gzip
         Compress(self.server)
 
-        # csrf protect
-        if csrf_protect:
-            self._csrf = SeaSurf(self.server)
-
         # static files from the packages
         self.css = Css()
         self.scripts = Scripts()

dash/version.py

@@ -1 +1 @@
-__version__ = '0.18.3'
+__version__ = '0.19.0'

setup.py

@@ -16,7 +16,6 @@
     install_requires=[
         'Flask>=0.12',
         'flask-compress',
-        'flask-seasurf',
         'plotly'
     ],
     url='https://plot.ly/dash',