#11566: CSRF documentation problem ---------------------------+------------------------------------------------ Reporter: benlbroussard | Owner: nobody Status: new | Milestone: Component: Documentation | Version: 1.0 Keywords: | Stage: Unreviewed Has_patch: 0 | ---------------------------+------------------------------------------------ The documentation for "Cross Site Request Forgery protection" found at http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ is both unclear and incorrect in the last paragraph before limitations where it states:
"The middleware tries to be smart about requests that come in via AJAX. Many JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header; these requests are detected and automatically not handled by this middleware. We can do this safely because, in the context of a browser, the header can only be added by using XMLHttpRequest, and browsers already implement a same-domain policy for XMLHttpRequest. (Note that this is not secure if you don't trust content within the same domain or subdomains.)" It is true that the browsers have implemented a same-domain policy for XMLHttpRequest. The implicit statement is that the browser will only allow XMLHttpRequest requests from the same domain. This is, however, not true. Browsers will allow image, js file, css file, and AJAX requests from any domain to any domain. What it will not allow is the parsing of the AJAX response. This means that the current CsrfMiddleware does not handle AJAX requests securely. It should validate a token for POST AJAX requests. It should fail if the token is not valid or doesn't exist. -- Ticket URL: <http://code.djangoproject.com/ticket/11566> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---
