There's a problem with CSRF Protection and XHR requests. It works perfectly if 'csrftoken' cookie has been set already. But what if it's not? Cookie with token will be set only, if META["CSRF_COOKIE_USED"] is True [1]. It's set to True in function get_token() [2]. get_token() is called in CsrfResponseMiddleware [3] (It's deprecated, i'm not using it) and in 'csrf' context processor (note - calling it is lazy, so I need to use {% csrf_token %} or at least get the value of csrf_token variable).
But in my project i'm not using {% csrf_token %} anywhere. According to documentation [5] I'm not required to do anything else, but write a simple javascript code. Actually it's not true. I have to put "request.META['CSRF_COOKIE_USED'] = True" line in every view (or write appropriate decorator). What is more, it will affect users who didn't come across page where csrf_token is used, but their browser needs to send xhr post request. It affects svn version. I don't know if other versions are affected. [1] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L236 [2] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L67 [3] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L270 [4] http://code.djangoproject.com/browser/django/trunk/django/core/context_processors.py#L38 [5] http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.