#16936: CSRF with AJAX documentation is out-of-date
-------------------------------+--------------------------------------
Reporter: idangazit | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.3
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Comment (by anonymous):
Also to highlight something I think PaulM saw and commented on in IRC,
there is either a bug in the original/current snippet in the docs, or my
logic is failing.
This line was removed from the current docs in the patch:
{{{
126 if (!safeMethod(settings.type) &&
sameOrigin(settings.url)) {
}}}
and this was added:
{{{
145 if (!(/^https?:.*/.test(settings.url)) &&
safeMethod(settings.type) ) {
}}}
the logic of safeMethod is reversed - but as I read it, the patch is
correct, you only want to send the cookie if the method was safe. If that
is not the case, that function should be renamed to be much clearer.
Also not clear in the current patch, nor the original security release
notes, is why relative URLs should be enforced. A brief note explaining
this in the docs would be beneficial.
--
Ticket URL: <https://code.djangoproject.com/ticket/16936#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
