#16936: CSRF with AJAX documentation is out-of-date
-------------------------------+------------------------------------
Reporter: idangazit | Owner: nobody
Type: New feature | Status: new
Component: Documentation | Version: SVN
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by idangazit):
== @lukeplant:
=== Regarding [16183]:
Looking at this again with fresh eyes, I see that I mixed up the date
order — [16183] came after the blog post (linked in ticket description).
Posting a new patch backing out that deletion shortly, my bad.
Regardless, there should be an explicit mention that the `sameOrigin`
logic adheres to the recommendation of that blogpost, so it doesn't appear
we're providing conflicting recommendations.
=== Regarding DOM vs. cookie for acquiring CSRF token.
Again, the blogpost cited above recommends a snippet which is getting the
value out of the DOM. If this isn't a good way to get the snippet, then we
should update the blogpost's example. Either way, will update patch to
omit the DOM method.
== @ptone
Good catch regarding safeMethod. I'm changing the method name to be a bit
clearer about what it does.
--
Ticket URL: <https://code.djangoproject.com/ticket/16936#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
