#27534: Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs
------------------------------------------+------------------------
Reporter: Andrew Charles | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version:
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+------------------------
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the
{{{CSRF_COOKIE_HTTP_ONLY}}} setting will prevent non-safe ajax calls from
working (if using the js provided). It should note that you have to
include the csrf token via the template tag {{{{% csrf_token %}}}}, and
update the js with something like this:
{{{#!javascript
var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
if (csrftoken === null) {
console.log('No csrf token');
}
}
}}}
This is my first Django issue/ticket, sorry if I missed anything.
--
Ticket URL: <https://code.djangoproject.com/ticket/27534>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/050.b8bde33425871eb389261d13a03f02c1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
