Did you try add custom header X-CSRFToken ? Try this solution if youre
using jquery
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
xhr.setRequestHeader("X-CSRFToken",
$("#csrfmiddlewaretoken").val());
}
}
});
http://www.djangoproject.com/weblog/2011/feb/08/security/
On 9 Mar, 14:59, cootetom <coote...@gmail.com> wrote:
> I am experiencing some off behaviour with CSRF but only in IE
> browsers. Using Django 1.2.5 (final).
>
> I have a page that has no form and no use of {% csrf_token %} but it
> does make a POST request using JavaScript. I have implemented the
> jQuery code to grab the CSRF cookie value for all AJAX requests. The
> strange thing is that in IE browsers there is no CSRF cookie but in
> all other browsers, on the same page that cookie exists. So IE
> browsers get 403 for AJAX requests and other browsers work just fine.
>
> I'm just using the django.middleware.csrf.CsrfViewMiddleware
> middleware.
>
> Here is the scenario to replicate this:
>
> 1. Visit a page that does have a form and so does have a {% csrf_token
> %}
> 2. Move onto a page that doesn't make use of {% csrf_token %} but does
> still do a JavaScript POST. The JavaScript POST will work this time
> around.
> 3. Close the web browser down, re-open it but go directly to the web
> page that doesn't use {% csrf_token %} but does make a JavaScript
> POST. This will now fail as no cookie has been set for CSRF.
>
> The documentation says the cookie is set for every request so I don't
> understand this?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
