#19436: ensure_csrf_cookie decorator issues a "CSRF token missing or incorrect"
warning.
-------------------------------+--------------------
Reporter: wrr@… | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.4
Severity: Normal | Keywords: csrf
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
I'm using ensure_csrf_cookie decorator to set CSRF protection token with a
POST request. The decorator works correctly but it prints incorrect and
confusing warning:
'''WARNING django.request Forbidden (CSRF token missing or incorrect.):
/auth/api/csrftoken/'''
The warning for sure comes from the decorator, because the application
does not use CsrfViewMiddleware. I briefly examined
django/views/decorators/csrf.py and django/middleware/csrf.py and it seems
that indeed such warning is printed when post method is decorated.
Relevant part of the code that produces warning:
{{{
from django.core.context_processors import csrf
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import ensure_csrf_cookie
from django.views.generic import View
class CsrfToken(View):
"""Establishes Cross Site Request Forgery protection token."""
@method_decorator(ensure_csrf_cookie)
def post(self, request):
"""Returns CSRF protection token in a cookie and a response
body."""
csrf_token = csrf(request).values()[0]
return http.HttpResponseOKJson({'csrfToken': str(csrf_token)})
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/19436>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
