Cross Site Request Forgery (csrf) via POST / JQuery

Tue, 22 Feb 2011 17:30:52 -0800 

Hi

I'm using Django's CSRFViewMiddleware and am making a POST request in
a page (using JQuery) in the form of:

$.post('{% url posted_to_wall %}', {
                                        network: 'FBK',
                                        action_type: 'feed',
                                        effect: 1
                                });

In order to satisfy the csrf_token check, I have implemented the
instructions from the Django docs: 
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
(with some tweaks to only run the csrf on POST and not GET)

$('html').ajaxSend(function(event, xhr, settings) {
    xhr.setRequestHeader("x-testing1", 'testme1');
    function getCookie(name) {
        var cookieValue = null;
        if (document.cookie && document.cookie != '') {
            var cookies = document.cookie.split(';');
            // optimise this!
            for (var i = 0; i < cookies.length; i++) {
                var cookie = jQuery.trim(cookies[i]);
                // Does this cookie string begin with the name we
want?
                if (cookie.substring(0, name.length + 1) == (name +
'=')) {
                    cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
                    //console.log('cookie is ' + cookieValue);
                    break;
                }
            }
        }
        return cookieValue;
    }

//console.log(/^http:.*/.test(settings.url));

        if (settings.type == 'POST') {
        if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
                // Only send the token to relative URLs i.e. locally.
                // console.log('we\'re local ajax');
                xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
        }
        }
});

However, the X-CSRFToken request is not being set by the command
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

I have tried on both Chrome 11.0.672.2 dev and Firefox 4.0b11

I have worked around the issue by adding  csrfmiddlewaretoken: $
('input[name|="csrfmiddlewaretoken"]').attr('value')  to my POST data,
but would prefer to have it all done with the .ajaxSend method
presented in the Django Docs.

Does anyone have any suggestions as to why the xhr.setRequestHeader()
doesn't work?

Thanks is advance

Goran!

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to