#15354: Cookie with CSRF token not always available for AJAX Post requests
------------------------------------+----------------------------
Reporter: sayane | Owner: nobody
Type: Bug | Status: new
Milestone: 1.3 | Component: contrib.csrf
Version: SVN | Severity: Normal
Resolution: | Keywords:
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
------------------------------------+----------------------------
Changes (by lamby):
* cc: lamby (added)
* has_patch: 0 => 1
Comment:
I can't think of a nice *general* fix that doesn't involve a setting - we
really do not want to speculatively set a CSRF cookie on every response
(ie. remove the CSRF_COOKIE_USED flag checking) as that adds "Vary:
Cookie" everywhere, uses entropy, bloats headers, etc. However, a patch
for a setting enabling this for certain projects would be pretty trivial
(just check for it in CsrfMiddleware.process_response).
My solution would be add a view decorator that ensures the CSRF cookie is
set in the corresponding response. I'm attaching this now - it works well
and is better than having to place a {% csrf_token %} inside a HTML
comment or some other horrible hack.
--
Ticket URL: <http://code.djangoproject.com/ticket/15354#comment:6>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
