+1 For doing it right from the beginning.
I was tempted to disable when trying to deal with AJAX especially early on.
Below is some code with jQuery so that you won't need to manually feed the
token through your AJAX.
<script type="text/javascript">
jQuery(document).ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
function sameOrigin(url) {
// url could be relative or scheme relative or absolute
var host = document.location.host; // host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;
// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin
+ '/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) ==
sr_origin + '/') ||
// or any other URL that isn't scheme relative or absolute i.e
relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
function safeMethod(method) {
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});
</script>
On Monday, September 24, 2012 7:07:09 AM UTC-6, Mulianto wrote:
>
> hi, better use csrf for your application security.
>
> it is easier to disable it, but security for your app what you will think
> after it running later.
>
> do it correctly now or later .
>
> Rgds,
>
> Mulianto
>
> On Mon, Sep 24, 2012 at 2:56 PM, yati sagade <yati....@gmail.com<javascript:>
> > wrote:
>
>> Remove {% csrf_token %} from the form AND leave the csrf_exempt decorator
>> as it is in the view. Everyone faces challenges while learning a new thing.
>> The key is to face it head on and not to move to somewhere you think there
>> will be no challenges :)
>>
>>
>> On Mon, Sep 24, 2012 at 1:14 AM, puneet loya <punee...@gmail.com<javascript:>
>> > wrote:
>>
>>> Hi
>>>
>>> I was trying to disable csrf . I am calling post using ajax.
>>>
>>> I have used the csrf token placed it below the form.
>>>
>>> In my views file i m using the csrf exempt.
>>>
>>> I am still getting the network forbidden error. :(
>>>
>>> If you require more information i will share it :)
>>>
>>> On Thursday, 19 August 2010 06:49:02 UTC+5:30, chenge wrote:
>>>>
>>>>
>>>>
>>>> On 8月18日, 上午4时29分, Rolando Espinoza La Fuente <dark...@gmail.com>
>>>> wrote:
>>>> > On Tue, Aug 17, 2010 at 8:01 AM, chenge <cheng...@gmail.com> wrote:
>>>> > > I'm new to django. CSRF let me crazy!
>>>> >
>>>> > Can't use {% csrf_token %} tag inside your <form>'s?
>>>> >
>>>> > See csrf_exempt decorator:http://docs.**djangoproject.com/en/dev/ref/
>>>> **contrib/csrf/#exceptions<http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions>
>>>>
>>>> >
>>>> > Regards,
>>>> >
>>>> > Rolando Espinoza La fuentewww.insophia.com
>>>>
>>>> Thanks, I decide try flask first, that seems simple. Maybe I'll try
>>>> the exempt.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msg/django-users/-/BQ5RpafQK3EJ.
>>> To post to this group, send email to django...@googlegroups.com<javascript:>
>>> .
>>> To unsubscribe from this group, send email to
>>> django-users...@googlegroups.com <javascript:>.
>>> For more options, visit this group at
>>> http://groups.google.com/group/django-users?hl=en.
>>>
>>
>>
>>
>> --
>> Yati Sagade
>>
>> Software Engineer at mquotient <http://www.mquotient.net/>
>> <http://twitter.com/yati_itay>
>>
>> Twitter: @yati_itay <http://twitter.com/yati_itay> | Github:
>> yati-sagade<https://github.com/yati-sagade>
>>
>> Organizing member of TEDx EasternMetropolitanBypass
>> http://www.ted.com/tedx/events/4933
>>
>> https://www.facebook.com/pages/TEDx-EasternMetropolitanBypass/337763226244869
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To post to this group, send email to django...@googlegroups.com<javascript:>
>> .
>> To unsubscribe from this group, send email to
>> django-users...@googlegroups.com <javascript:>.
>> For more options, visit this group at
>> http://groups.google.com/group/django-users?hl=en.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/MJTcN5E8YhAJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
