#15258: Ajax CSRF protection doesn't apply to PUT or DELETE requests ----------------------------+----------------------------------------------- Reporter: brodie | Owner: nobody Status: new | Milestone: Component: Core framework | Version: 1.2 Keywords: csrf ajax | Triage Stage: Unreviewed Has patch: 0 | ----------------------------+----------------------------------------------- The CSRFViewMiddleware only does CSRF checks for POST requests. It's not uncommon to do PUT and DELETE requests from Ajax. Now that the middleware also checks Ajax requests, we should probably check those request methods as well.
One tricky thing is extracting form data for PUT and DELETE requests. We don't populate request.POST for those methods, so we would either have to add something to get them out of raw_post_data, or require X-CSRFToken to be set for PUT/DELETE. -- Ticket URL: <http://code.djangoproject.com/ticket/15258> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
