Author: lukeplant
Date: 2011-05-09 12:06:57 -0700 (Mon, 09 May 2011)
New Revision: 16191
Modified:
django/trunk/docs/ref/contrib/csrf.txt
Log:
Fixed #15469 - CSRF token is inserted on GET requests
Thanks to goran for report.
Modified: django/trunk/docs/ref/contrib/csrf.txt
===================================================================
--- django/trunk/docs/ref/contrib/csrf.txt 2011-05-09 19:06:49 UTC (rev
16190)
+++ django/trunk/docs/ref/contrib/csrf.txt 2011-05-09 19:06:57 UTC (rev
16191)
@@ -114,7 +114,11 @@
// or any other URL that isn't scheme relative or absolute i.e
relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
- if (sameOrigin(settings.url)) {
+ function safeMethod(method) {
+ return (method === 'GET' || method === 'HEAD');
+ }
+
+ if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
