#27534: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs ------------------------------------------+------------------------ Reporter: Andrew Charles | Owner: nobody Type: Uncategorized | Status: new Component: Documentation | Version: Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------+------------------------ https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the {{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {{{{% csrf_token %}}}}, and update the js with something like this: {{{#!javascript var csrftoken = getCookie('csrftoken'); if (csrftoken === null) { csrftoken = $('input[name="csrfmiddlewaretoken"]').val(); if (csrftoken === null) { console.log('No csrf token'); } } }}} This is my first Django issue/ticket, sorry if I missed anything. -- Ticket URL: <https://code.djangoproject.com/ticket/27534> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.b8bde33425871eb389261d13a03f02c1%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.