Hi Larry, On 12/08/2014 07:14 AM, Larry Martell wrote: > On Sat, Dec 6, 2014 at 1:41 AM, James Schneider <[email protected]> > wrote: >> Check out Collin's email from earlier, it has an example using curl but you >> should be able to adapt your web request with the cookie and POST values via >> the python script. The cookie and POST values for the CSRF token can be >> anything, they just need to match. >> >> https://groups.google.com/d/msgid/django-users/fb6e54a8-c9e7-45f7-882f-bc05c8ee90d2%40googlegroups.com?utm_medium=email&utm_source=footer > > Thanks. This is very simple. So simple I didn't even think of this. > But then can't anyone override the CSRF protection very easily?
This is explained in the link to a previous thread that I posted above. The CSRF protection works because malicious JS can't control the value of the CSRF cookie submitted by your browser. Carl -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5485D578.9060201%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
