#19436: ensure_csrf_cookie decorator issues a "CSRF token missing or incorrect"
warning.
-------------------------------------+-------------------------------------
Reporter: wrr@… | Owner: nobody
Type: Bug | Status: reopened
Component: Uncategorized | Version: 1.4
Severity: Normal | Resolution:
Keywords: csrf | Triage Stage: Design
Has patch: 0 | decision needed
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by russellm):
* stage: Unreviewed => Design decision needed
Comment:
I can validate that the report is accurate -- a POST request to a view
protected by ensure_csrf_cookie raises a 403.
I suppose the bigger question is whether this is expected or not. I'm
having difficulty with understanding why you would want to ensure that
there is CSRF cookie, but not actually use it for a POST. The
ensure_csrf_cookie decorator was introduced as a fix for #15354. The
intention appears to be to ensure that the cookie has been set on a GET
request, so that subsequent POST requests will have the cookie in place.
Marking as DDN so we can sort out what the right behavior is here.
--
Ticket URL: <https://code.djangoproject.com/ticket/19436#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
