Hi Greg, so the extension inserts some javascript into the current page and if the user clicks a button it will post the page to your application. Is that correct? Do you have the csrftoken in your extension? I think Django searches for the token in multiple places: HTTP header, cookie, post. Now I don't think you can add the csrftoken in cookie.
To make it appear in the post you would have to add the token into the form as a hidden field, something like this: <input type="hidden" name="csrfmiddlewaretoken" value="NdZxiJLQgrKImN1iOXKzbWSehoeU7YKv8MBqGI0yn6i1AmQeOs3s1iArwLHA3lmI"> Regards, Norbert. On 21 February 2018 at 09:20, Greg Barker <[email protected]> wrote: > Thanks for the reply Norbert. I did see that page, where would the > csrftoken cookie come from in this case though? Since I'm injecting my > JavaScript onto a page hosted on a separate domain, there's no csrftoken > cookie set there. > > I came across this post on Stackoverflow: https://stackoverflow.com/ > questions/30871033/django-rest-framework-remove-csrf > > Is that what I need to do here? > > On Tue, Feb 20, 2018 at 2:26 AM, Norbert Mate <[email protected]> > wrote: > >> This also might be useful: >> https://gist.github.com/bengolder/aa9033efc8959dc38e5d >> >> >> On Tuesday, February 20, 2018 at 1:54:36 AM UTC+2, Greg Barker wrote: >> >>> Hello - >>> >>> I'm working on a Chrome Extension that will inject some JavaScript into >>> a third-party webpage in order to add some additional functionality. >>> >>> For part of this functionality, I need to be able to do HTTP POST back >>> to my server. I've added it as a trusted origin in my settings.py: >>> >>> CORS_ORIGIN_WHITELIST = ( >>> 'www.thirdpartysite.com', >>> ) >>> >>> CSRF_TRUSTED_ORIGINS = ( >>> 'www.thirdpartysite.com', >>> ) >>> >>> I also added the CorsPostCsrfMiddleware as described here: >>> https://github.com/ottoyiu/django-cors-headers#cors_replace_ >>> https_referer >>> >>> However, my HTTP POST from within the Chrome Extension still fails with: >>> >>> {"detail":"CSRF Failed: CSRF token missing or incorrect."} >>> >>> How do I handle CSRF protection in Django Rest Framework for this >>> scenario? >>> >>> Thanks! >>> Greg >>> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Django REST framework" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/django-rest-framework/tHVPZzuR8QY/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Django REST framework" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/django-rest-framework/tHVPZzuR8QY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
