[Django] #15354: Cookie with CSRF token not always available for AJAX Post requests

Sat, 19 Feb 2011 09:21:15 -0800 

#15354: Cookie with CSRF token not always available for AJAX Post requests
---------------------------+------------------------------------------------
 Reporter:  sayane         |          Owner:  nobody    
   Status:  new            |      Milestone:  1.3       
Component:  Uncategorized  |        Version:  SVN       
 Keywords:                 |   Triage Stage:  Unreviewed
Has patch:  0              |  
---------------------------+------------------------------------------------
 Quote from mailing list:
 {{{
 There's a problem with CSRF Protection and XHR requests. It works
 perfectly if 'csrftoken' cookie has been set already. But what if it's
 not?
 Cookie with token will be set only, if META["CSRF_COOKIE_USED"] is True
 [1]. It's set to True in function get_token() [2]. get_token() is called
 in CsrfResponseMiddleware [3] (It's deprecated, i'm not using it) and in
 'csrf' context processor (note - calling it is lazy, so I need to use {%
 csrf_token %} or at least get the value of csrf_token variable).

 But in my project i'm not using {% csrf_token %} anywhere. According to
 documentation [5] I'm not required to do anything else, but write a simple
 javascript code. Actually it's not true. I have to put
 "request.META['CSRF_COOKIE_USED'] = True" line in every view (or write
 appropriate decorator).

 What is more, it will affect users who didn't come across page where
 csrf_token is used, but their browser needs to send xhr post request.

 It affects svn version. I don't know if other versions are affected.

 [1]
 
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L236
 [2]
 
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L67
 [3]
 
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L270
 [4]
 
http://code.djangoproject.com/browser/django/trunk/django/core/context_processors.py#L38
 [5] http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
 }}}

-- 
Ticket URL: <http://code.djangoproject.com/ticket/15354>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to