Re: CSRF Cookie in IE

Wed, 09 Mar 2011 06:22:30 -0800 

If its not too much trouble for you, I've switched to GETs instead of POSTs
for my AJAX calls, so i wont have to think about CSRF again.



On 9 March 2011 14:12, krzysiekpl <krzysie...@gmail.com> wrote:

> Did you try add custom header X-CSRFToken ? Try this solution if youre
> using jquery
>
> $.ajaxSetup({
>        beforeSend: function(xhr, settings) {
>            if (!(/^http:.*/.test(settings.url) || /
> ^https:.*/.test(settings.url))) {
>                // Only send the token to relative URLs i.e. locally.
>                xhr.setRequestHeader("X-CSRFToken",
>                                     $("#csrfmiddlewaretoken").val());
>            }
>        }
>    });
>
> http://www.djangoproject.com/weblog/2011/feb/08/security/
>
> On 9 Mar, 14:59, cootetom <coote...@gmail.com> wrote:
> > I am experiencing some off behaviour with CSRF but only in IE
> > browsers. Using Django 1.2.5 (final).
> >
> > I have a page that has no form and no use of {% csrf_token %} but it
> > does make a POST request using JavaScript. I have implemented the
> > jQuery code to grab the CSRF cookie value for all AJAX requests. The
> > strange thing is that in IE browsers there is no CSRF cookie but in
> > all other browsers, on the same page that cookie exists. So IE
> > browsers get 403 for AJAX requests and other browsers work just fine.
> >
> > I'm just using the django.middleware.csrf.CsrfViewMiddleware
> > middleware.
> >
> > Here is the scenario to replicate this:
> >
> > 1. Visit a page that does have a form and so does have a {% csrf_token
> > %}
> > 2. Move onto a page that doesn't make use of {% csrf_token %} but does
> > still do a JavaScript POST. The JavaScript POST will work this time
> > around.
> > 3. Close the web browser down, re-open it but go directly to the web
> > page that doesn't use {% csrf_token %} but does make a JavaScript
> > POST. This will now fail as no cookie has been set for CSRF.
> >
> > The documentation says the cookie is set for every request so I don't
> > understand this?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to