#9559: CSRFMiddleware should strip POST dat instead of showing the user an error message if a forgery is detected ----------------------------------+----------------------------------------- Reporter: zain | Owner: nobody Status: new | Milestone: Component: Contrib apps | Version: 1.0 Keywords: csrf, csrfmiddleware | Stage: Unreviewed Has_patch: 1 | ----------------------------------+----------------------------------------- If a page receives a POST that doesn't contain the 'csrfmiddlwaretoken' variable, it shows the following message: "Cross Site Request Forgery detected. Request aborted."
Instead of showing the user this message, I propose just stripping out the POST data. That could help improve user experience in the case of when a site outside your control is redirecting to you. For example; if a user is paying you via Paypal web payments, they get redirected back to your website at the end. During this step, Paypal POSTs some (non-critical) information. At this point, the CSRF middleware shows the user an error. As a result, it is impossible to use the CSRF Middleware on a website that accepts paypal web payments. The patch I have attached merely sets request.POST = [] instead of giving the user an HttpResponseForbidden message. -- Ticket URL: <http://code.djangoproject.com/ticket/9559> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---
