#16936: CSRF with AJAX documentation is out-of-date
-------------------------------+--------------------------------------
Reporter: idangazit | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: 1.3
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Comment (by lukeplant):
BTW, if I remember correctly, the snippet that gets the csrftoken from the
DOM was deliberately rejected in favour of one that gets it from the
cookie. If you have the token in the DOM, you are guaranteed to have it in
the cookie too if you used the normal mechanism. So it seemed to make more
sense to rely on the cookie.
@ptone: other parts of CSRF docs do mention the fact that if you send a
CSRF token cross-domain you have a security issue - the other domain can
use the token to do a CSRF attack on you.
--
Ticket URL: <https://code.djangoproject.com/ticket/16936#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
