Hi Hendrik,
Thank you for your prompt reply. I really appreciate it!
Yes, I am using the django development server, and it is on port
8000. I, too, read that the https can cause the '\x16\x03\x01'
problem, but I don't see how this can happen in my case because I did
not create any https'.
Although it may not be csrf, do you think |csrfmiddlewaretoken:'{{
csrf_token }}'| could be the missing piece (see
http://stackoverflow.com/questions/9085068/django-jquery-get-to-post)?
It seems to make sense to me because {% csrf_token %} is required for
a normal post request. If so, how do I use it in dojo.xhrPost? I tried
dojo.xhrPost( {
url: "/test/",
content: {
details: JSON.stringify(details)
csrfmiddlewaretoken: '{{ csrf_token }}'
},
load: function(response){
alert(response);
},
error: function(){
alert("error");
}
});
, but it did not change anything. I also commented out the is_ajax
line, but I got the same debug message.
voss
On Thursday, June 7, 2012 11:32:14 AM UTC-5, henzk wrote:
Hi Voss,
i guess you are right ... it may not be related to CSRF-Protection
at all.
Are you using the django development server? I have found some
references for '\x16\x03\x01' using google, e.g.
http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/
<http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/>
It seems that this is related to browsers that speak HTTPS to a
(misconfigured) HTTP server.
Can you verify that this happens also when using the django
devserver on port 8000?
Another thing you could try is to get rid of the is_ajax check.
In either case you should return a response for non-ajax requests
also ... otherwise you will provoke a HTTP500 in these cases.
hendrik
On 06/07/2012 06:17 PM, voss wrote:
Hello Hendrik,
To simplify things and to do some tests, I started with disabling
the csrf protection. Here is my JS:
dojo.xhrPost( {
url: "/test/",
content: {details: JSON.stringify(details)},
load: function(response){
alert(response);
},
error: function(){
alert("error");
}
});
In views.py, I have:
@csrf_exempt
def new_session(request):
if request.is_ajax():
return HttpResponse('ok')
In theory, I should see the 'ok' alert, but, instead, I got
"null". The debug message shows:
[07/Jun/2012 10:31:06] code 400, message Bad request syntax
('\x16\x03\x01\x00\x8f\x01\x00\x00\x8b\x03\x01O\xd0\xc9:}m\x9e\x04\xbf_:$`\x96v\xca\x1b\x92\xb8\xc7?M\x0f\xbdc\x8e\xfb+\x84E\x8c?\x00\x00H\x00\xff\xc0')
[07/Jun/2012 10:31:06] "??O??:}m??_:$`?v????M?c??+?E??H??" 400 -
This error message looks similar to that before the csrf_exempt
decorator was added, which suggests to me that the problem may
not be in the csrf protection. Am I right? Any thoughts would be
greatly appreciated!
voss
On Monday, June 4, 2012 8:21:15 PM UTC-5, henzk wrote:
Hi Voss,
i forgot about django's CSRF protection.
You can use the csrf_exempt decorator on the view function to
disable django's CSRF protection - however, i wouldn't
recommend that.
There is a script at
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
<https://docs.djangoproject.com/en/dev/ref/contrib/csrf/>
To use the script with dojo instead of jquery, you will need
to adapt it a little:
-copy the getCookie function to your code
then, every time you make a POST request to your application
using dojo.xhrPost, add this to the arguments object:
headers: {'X-CSRFToken': getCookie('csrftoken')}
If you are still getting HTTP 400 errors, verify that the
request looks sane in firebug and check that it contains a
X_HTTP_REQUESTED_WITH header set to XMLHttpRequest (but i am
pretty sure dojo adds this one automatically).
hendrik
Am Montag, 4. Juni 2012 18:33:21 UTC+2 schrieb voss:
Hi Hendrik,
I forgot to mention in my previous message that the debug
shows the following:
code 400, message Bad request syntax
("\x16\x03\x01\x00\x8b\x01\x00\x00\x87\x03\x01O\xcc\xd8\xc0\x18hZ\x7f\xa3h\xb9l\xaf\xdb\xfbp}(\xc1\xc6\xa5g\x18\xe5!\x87\xd4\xe2`_'\x90\x00\x00H\x00\xff\xc0")
Thank you!
voss
On Saturday, June 2, 2012 8:46:38 AM UTC-5, henzk wrote:
Hi,
i haven't tested the code and never used dojo before,
but sth. like
this should work:
var source1 = new dojo.dnd.Source("itemListNode");
var source2 = new dojo.dnd.Target("selectedListNode");
dojo.connect( source1, "onDndDrop",
function(source, nodes, copy, target){
//gather items and details
var details = [];
for( i=0; i < nodes.length; i++){
var item = this.getItem(nodes[i].id);
details.push(item.data);
}
//send details to server via AJAX POST request
dojo.xhrPost({
url: "/save_details/",
content: {details: JSON.stringify(details)},
// The success handler
load: function(response) {
alert('ok');
},
// The error handler
error: function() {
alert("error");
}
});
});
Explanation:
- changed 'item' to 'var item' ... without the 'var'
item will be
global, which is probably not what you want.
- to get around making multiple requests to the
server(one for each
dropped node), put the detail of each node in the
details array.
- then json-encode and send this array to your django
view (assumed to
be at '/save_details/')
- in the view, access the list as
json.loads(request.POST.get('details', '[]')) and
place it into
request.session
As mentioned, the code is completely untested.
Good luck!
Yours,
Hendrik Speidel
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ
<https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ>.
To post to this group, send email to
[email protected] <mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:[email protected]>.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
<http://groups.google.com/group/django-users?hl=en>.
On Thursday, June 7, 2012 11:32:14 AM UTC-5, henzk wrote:
Hi Voss,
i guess you are right ... it may not be related to CSRF-Protection
at all.
Are you using the django development server? I have found some
references for '\x16\x03\x01' using google, e.g.
http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/
<http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/>
It seems that this is related to browsers that speak HTTPS to a
(misconfigured) HTTP server.
Can you verify that this happens also when using the django
devserver on port 8000?
Another thing you could try is to get rid of the is_ajax check.
In either case you should return a response for non-ajax requests
also ... otherwise you will provoke a HTTP500 in these cases.
hendrik
On 06/07/2012 06:17 PM, voss wrote:
Hello Hendrik,
To simplify things and to do some tests, I started with disabling
the csrf protection. Here is my JS:
dojo.xhrPost( {
url: "/test/",
content: {details: JSON.stringify(details)},
load: function(response){
alert(response);
},
error: function(){
alert("error");
}
});
In views.py, I have:
@csrf_exempt
def new_session(request):
if request.is_ajax():
return HttpResponse('ok')
In theory, I should see the 'ok' alert, but, instead, I got
"null". The debug message shows:
[07/Jun/2012 10:31:06] code 400, message Bad request syntax
('\x16\x03\x01\x00\x8f\x01\x00\x00\x8b\x03\x01O\xd0\xc9:}m\x9e\x04\xbf_:$`\x96v\xca\x1b\x92\xb8\xc7?M\x0f\xbdc\x8e\xfb+\x84E\x8c?\x00\x00H\x00\xff\xc0')
[07/Jun/2012 10:31:06] "??O??:}m??_:$`?v????M?c??+?E??H??" 400 -
This error message looks similar to that before the csrf_exempt
decorator was added, which suggests to me that the problem may
not be in the csrf protection. Am I right? Any thoughts would be
greatly appreciated!
voss
On Monday, June 4, 2012 8:21:15 PM UTC-5, henzk wrote:
Hi Voss,
i forgot about django's CSRF protection.
You can use the csrf_exempt decorator on the view function to
disable django's CSRF protection - however, i wouldn't
recommend that.
There is a script at
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
<https://docs.djangoproject.com/en/dev/ref/contrib/csrf/>
To use the script with dojo instead of jquery, you will need
to adapt it a little:
-copy the getCookie function to your code
then, every time you make a POST request to your application
using dojo.xhrPost, add this to the arguments object:
headers: {'X-CSRFToken': getCookie('csrftoken')}
If you are still getting HTTP 400 errors, verify that the
request looks sane in firebug and check that it contains a
X_HTTP_REQUESTED_WITH header set to XMLHttpRequest (but i am
pretty sure dojo adds this one automatically).
hendrik
Am Montag, 4. Juni 2012 18:33:21 UTC+2 schrieb voss:
Hi Hendrik,
I forgot to mention in my previous message that the debug
shows the following:
code 400, message Bad request syntax
("\x16\x03\x01\x00\x8b\x01\x00\x00\x87\x03\x01O\xcc\xd8\xc0\x18hZ\x7f\xa3h\xb9l\xaf\xdb\xfbp}(\xc1\xc6\xa5g\x18\xe5!\x87\xd4\xe2`_'\x90\x00\x00H\x00\xff\xc0")
Thank you!
voss
On Saturday, June 2, 2012 8:46:38 AM UTC-5, henzk wrote:
Hi,
i haven't tested the code and never used dojo before,
but sth. like
this should work:
var source1 = new dojo.dnd.Source("itemListNode");
var source2 = new dojo.dnd.Target("selectedListNode");
dojo.connect( source1, "onDndDrop",
function(source, nodes, copy, target){
//gather items and details
var details = [];
for( i=0; i < nodes.length; i++){
var item = this.getItem(nodes[i].id);
details.push(item.data);
}
//send details to server via AJAX POST request
dojo.xhrPost({
url: "/save_details/",
content: {details: JSON.stringify(details)},
// The success handler
load: function(response) {
alert('ok');
},
// The error handler
error: function() {
alert("error");
}
});
});
Explanation:
- changed 'item' to 'var item' ... without the 'var'
item will be
global, which is probably not what you want.
- to get around making multiple requests to the
server(one for each
dropped node), put the detail of each node in the
details array.
- then json-encode and send this array to your django
view (assumed to
be at '/save_details/')
- in the view, access the list as
json.loads(request.POST.get('details', '[]')) and
place it into
request.session
As mentioned, the code is completely untested.
Good luck!
Yours,
Hendrik Speidel
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ
<https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ>.
To post to this group, send email to
[email protected] <mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:[email protected]>.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
<http://groups.google.com/group/django-users?hl=en>.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/zX59VNkLB-gJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
