Do you guys think is possible the jQuery Form plugin is some how
interfering with the token?
Johnf
On 04/09/2014 02:18 PM, John Fabiani wrote:
The code looks great. I just do not know where the code goes and how
it is to be called.
For example: Should the code you provided be in .alaxSubmit ->
beforeSubmit: showRequest or is there some other way I should call the
functions. Does the code add to my data - if so where and how does
that work?
I tired adding the code to the beforeSubmit but still get the 403
error. I'm missing something very fundamental.
Johnf
On 04/09/2014 12:22 PM, C. Kirby wrote:
Okay. I may get a few of the details wrong here, but the general idea
should be correct.
Basically CSRF makes sure that the request is coming from a page
served by the same domain. In order to do this it checks the REFERRER
header to make sure it is in the same domain. The cookie that you
grab using the code you showed is used in generating the ajax headers.
So, how to use it. I do it slightly differently than the example - I
use jquery .ajaxSend() <https://api.jquery.com/ajaxSend/> instead of
the $.ajaxSetup() they provide. What I like about the way I use it is
you put all of the ajax related csrf code in one $(document) block in
an always included .js file and it Just Works(TM)
Here is the code that I use:
$(document).ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
function sameOrigin(url) {
// url could be relative or scheme relative or absolute
var host = document.location.host; // host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;
// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin +
'/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) ==
sr_origin + '/') ||
// or any other URL that isn't scheme relative or absolute i.e
relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
function safeMethod(method) {
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});
jquery is up to 1.11 (on the 1.x branch) you will probably gain a lot
from upgrading, but I would be a bit worried about deprecated
features. Try it out, if it works with no issues - great, if not then
you can decide if you want to fix the errors or revert.
Kirby
On Wednesday, April 9, 2014 1:57:24 PM UTC-5, John Fabiani wrote:
Also I was using jquery 1.4 with Django 1.2. Should I upgrade
the jquery?
Johnf
On 04/09/2014 11:54 AM, John Fabiani wrote:
I've read that paragraph 15 different ways (maybe even standing
on my head). I still don't understand what I'm missing.
Believe me I realize I might be the only person that doesn't get
it - such is life.
Could you highlight what exactly I'm missing. What do you mean
by "missing necessary headers"?
The code that includes the 'headers' in the doc's is exactly the
part I don't understand. Where does that code go and how does
it relate to my code.
Johnf
On 04/09/2014 10:51 AM, C. Kirby wrote:
Hi John,
You are mostly there, but you are missing necessary headers on
the ajax request.
It isn't that much code. Just follow the couple of paragraphs
of doc and examples here:
https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/#ajax
<https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/#ajax>
Kirby
On Wednesday, April 9, 2014 12:47:12 PM UTC-5, John Fabiani wrote:
Hi,
I be honest this {% csrf_token %} has me completely
baffled. I have read the doc's and I guess I have to admit
I don't understand what I'm doing.
I have
<form id="registration_form" method="post"
action="/register/registeruser/" >
{% csrf_token %} ...
Which I think is the correct way to add the token.
My form uses
submitHandler : function(form){$(form).ajaxSubmit({
beforeSubmit : showRequest, success: showResponse, dataType
: "json"});}
The submit button does this:
function showRequest(formData, jqForm, options){
var csrftoken = $.cookie('csrftoken');
But I still get a 403 error. I need some help.
below is the entire code for the view.
https://dpaste.de/JOZE
Thanks is advance,
Johnf
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected] <javascript:>.
To post to this group, send email to [email protected]
<javascript:>.
Visit this group at http://groups.google.com/group/django-users
<http://groups.google.com/group/django-users>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/5345976E.7090406%40jfcomputer.com
<https://groups.google.com/d/msgid/django-users/5345976E.7090406%40jfcomputer.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/e11203ae-0ca6-4565-a891-33fae5e021f4%40googlegroups.com
<https://groups.google.com/d/msgid/django-users/e11203ae-0ca6-4565-a891-33fae5e021f4%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/5345B90A.8020703%40jfcomputer.com
<https://groups.google.com/d/msgid/django-users/5345B90A.8020703%40jfcomputer.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/5345D112.3010800%40jfcomputer.com.
For more options, visit https://groups.google.com/d/optout.
