There's a problem with CSRF Protection and XHR requests. It works perfectly
if 'csrftoken' cookie has been set already. But what if it's not?
Cookie with token will be set only, if META["CSRF_COOKIE_USED"] is True [1].
It's set to True in function get_token() [2]. get_token() is called in
CsrfResponseMiddleware [3] (It's deprecated, i'm not using it) and in 'csrf'
context processor (note - calling it is lazy, so I need to use {% csrf_token
%} or at least get the value of csrf_token variable).
But in my project i'm not using {% csrf_token %} anywhere. According to
documentation [5] I'm not required to do anything else, but write a simple
javascript code. Actually it's not true. I have to put
"request.META['CSRF_COOKIE_USED'] = True" line in every view (or write
appropriate decorator).
What is more, it will affect users who didn't come across page where
csrf_token is used, but their browser needs to send xhr post request.
It affects svn version. I don't know if other versions are affected.
[1]
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L236
[2]
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L67
[3]
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L270
[4]
http://code.djangoproject.com/browser/django/trunk/django/core/context_processors.py#L38
[5] http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
