On Wed, 2011-02-23 at 05:07 -0800, Jonas Obrist wrote: > I beg to differ luke. > > > Most of our AJAX POSTs we do are actually not a 'form'. Because we > usually submit forms with 'normal' POST requests.
I was suggesting that normally you would encounter at least one normal form before doing AJAX, in which the cookie would be set. And if you apply the principles of graceful degradation, then you will have a normal HTML form which includes the token, as well as having the AJAX stuff. Obviously that depends on the app, and it is becoming less and less true, with more and more apps that depend entirely on javascript. > What would be so terrible in just setting the cookie always? Hmm, good question. I guess just the fact of sending stuff that you may not need seems like bad practice. If we changed it to always send the cookie, we would need to ensure that we only send the 'Vary: Cookie' header if the token was actually used in the page. Implementing this is actually a fairly trivial patch - just re-ordering a few lines. If there was objection to always sending the cookie, we might need a setting to control that. But I'm loathe to do that and add further complications to the docs. Luke -- As Ralph Waldo Emerson once said, "I hate quotations." Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
