#15258: Ajax CSRF protection doesn't apply to PUT or DELETE requests
------------------------------------------+-------------------------
Reporter: brodie | Owner: nobody
Status: new | Milestone:
Component: Core framework | Version: 1.2
Resolution: | Keywords: csrf ajax
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 1
Patch needs improvement: 0 |
------------------------------------------+-------------------------
Comment (by tow21):
To respond to the "tricky thing" in the original report: DELETE has no
body, so there's no way to pass the token in the body anyway. And since
PUT may contain essentially arbitrary data that need not be form-encoded,
I think it's reasonable to require use of X-CSRFToken instead.
Additionally, I think the patch perhaps ought to be changed so that
instead of:
{{{
- if request.method == 'POST':
+ if request.method in ('POST', 'PUT', 'DELETE'):
}}}
we do:
{{{
- if request.method == 'POST':
+ if request.method not in ('GET', 'HEAD', 'OPTIONS'):
}}}
Rationale: if anyone is experimenting with methods beyond those in HTTP
itself (for example, writing handlers for WebDAV methods) then we have no
guarantees on the idempotency of anything other than GET, HEAD, and
OPTIONS.
--
Ticket URL: <http://code.djangoproject.com/ticket/15258#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
