Author: adrian
Date: 2008-12-07 22:15:19 -0600 (Sun, 07 Dec 2008)
New Revision: 9593
Modified:
django/trunk/docs/ref/contrib/csrf.txt
Log:
Edited ref/contrib/csrf.txt changes from [9554]
Modified: django/trunk/docs/ref/contrib/csrf.txt
===================================================================
--- django/trunk/docs/ref/contrib/csrf.txt 2008-12-08 04:07:42 UTC (rev
9592)
+++ django/trunk/docs/ref/contrib/csrf.txt 2008-12-08 04:15:19 UTC (rev
9593)
@@ -35,12 +35,19 @@
.. versionadded:: 1.1
To manually exclude a view function from being handled by the
-CsrfMiddleware, you can use the ``csrf_exempt`` decorator (found in
-the ``django.contrib.csrf.middleware`` module).
+CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
+the ``django.contrib.csrf.middleware`` module. For example::
-AJAX requests sent with "X-Requested-With: XMLHttpRequest" are
-automatically exempt (see below).
+ from django.contrib.csrf.middleware import csrf_exempt
+ def my_view(request):
+ return HttpResponse('Hello world')
+ my_view = csrf_exempt(my_view)
+
+You don't have to worry about doing this for most AJAX views. Any request sent
+with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the next
+section.)
+
How it works
============
@@ -72,12 +79,13 @@
pages that are served as 'text/html' or 'application/xml+xhtml'
are modified.
-AJAX requests sent with "X-Requested-With: XMLHttpRequest", as done by
-many AJAX toolkits, are detected and automatically excepted from this
-mechanism. This is because in the context of a browser, this header
-can only be added by using XMLHttpRequest, and browsers already
-implement a same-domain policy for XMLHttpRequest. This is not secure
-if you do not trust content within the same domain or sub-domains.
+The middleware tries to be smart about requests that come in via AJAX. Many
+JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header;
+these requests are detected and automatically *not* handled by this middleware.
+We can do this safely because, in the context of a browser, the header can only
+be added by using ``XMLHttpRequest``, and browsers already implement a
+same-domain policy for ``XMLHttpRequest``. (Note that this is not secure if you
+don't trust content within the same domain or subdomains.)
The above two functions of ``CsrfMiddleware`` are split between two
classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware``
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
