#15258: Ajax CSRF protection doesn't apply to PUT or DELETE requests
------------------------------------------+-------------------------
Reporter: brodie | Owner: nobody
Status: new | Milestone: 1.4
Component: Core framework | Version: 1.2
Resolution: | Keywords: csrf ajax
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 1
Patch needs improvement: 0 |
------------------------------------------+-------------------------
Comment (by tomchristie):
Presumably we also ought to add TRACE to the list of safe methods, (As per
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html "the methods OPTIONS
and TRACE SHOULD NOT have side effects").
I'd guess that in practice it'd almost always be dealt with at EG the
apache level or whatever, but there might be some cases where it gets
dealt with by Django middleware further down the stack.
--
Ticket URL: <http://code.djangoproject.com/ticket/15258#comment:4>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
