Thank you all for your suggestions :) :) On Mon, Sep 24, 2012 at 7:56 PM, Nicolas Patry <patry.nico...@gmail.com>wrote:
> If you are access to the form (meaning you are in the dom), and if you > don't mind using jQuery, there is the even simpler: > > <script type="text/javascript"> >> $.post("/some/url", $("#someform").serialize(), function(data){ >> // Do whatever with data >> }) > > > $("#someform").serialize() automatically adds the crsf_token which should > be contained in your form. This makes a lot easier to validate your form > via AJAX. > > Cheers, > Nicolas Patry > > On Monday, September 24, 2012 4:00:02 PM UTC+2, jondykeman wrote: >> >> +1 For doing it right from the beginning. >> >> I was tempted to disable when trying to deal with AJAX especially early >> on. Below is some code with jQuery so that you won't need to manually feed >> the token through your AJAX. >> >> <script type="text/javascript"> >> jQuery(document).ajaxSend(**function(event, xhr, settings) { >> function getCookie(name) { >> var cookieValue = null; >> if (document.cookie && document.cookie != '') { >> var cookies = document.cookie.split(';'); >> for (var i = 0; i < cookies.length; i++) { >> var cookie = jQuery.trim(cookies[i]); >> // Does this cookie string begin with the name we want? >> if (cookie.substring(0, name.length + 1) == (name + '=')) >> { >> cookieValue = >> decodeURIComponent(cookie.**substring(name.length >> + 1)); >> break; >> } >> } >> } >> return cookieValue; >> } >> function sameOrigin(url) { >> // url could be relative or scheme relative or absolute >> var host = document.location.host; // host + port >> var protocol = document.location.protocol; >> var sr_origin = '//' + host; >> var origin = protocol + sr_origin; >> // Allow absolute or scheme relative URLs to same origin >> return (url == origin || url.slice(0, origin.length + 1) == >> origin + '/') || >> (url == sr_origin || url.slice(0, sr_origin.length + 1) == >> sr_origin + '/') || >> // or any other URL that isn't scheme relative or absolute >> i.e relative. >> !(/^(\/\/|http:|https:).*/.**test(url)); >> } >> function safeMethod(method) { >> return (/^(GET|HEAD|OPTIONS|TRACE)$/.**test(method)); >> } >> >> if (!safeMethod(settings.type) && sameOrigin(settings.url)) { >> xhr.setRequestHeader("X-**CSRFToken", getCookie('csrftoken')); >> } >> }); >> </script> >> >> On Monday, September 24, 2012 7:07:09 AM UTC-6, Mulianto wrote: >>> >>> hi, better use csrf for your application security. >>> >>> it is easier to disable it, but security for your app what you will >>> think after it running later. >>> >>> do it correctly now or later . >>> >>> Rgds, >>> >>> Mulianto >>> >>> On Mon, Sep 24, 2012 at 2:56 PM, yati sagade <yati....@gmail.com> wrote: >>> >>>> Remove {% csrf_token %} from the form AND leave the csrf_exempt >>>> decorator as it is in the view. Everyone faces challenges while learning a >>>> new thing. The key is to face it head on and not to move to somewhere you >>>> think there will be no challenges :) >>>> >>>> >>>> On Mon, Sep 24, 2012 at 1:14 AM, puneet loya <punee...@gmail.com>wrote: >>>> >>>>> Hi >>>>> >>>>> I was trying to disable csrf . I am calling post using ajax. >>>>> >>>>> I have used the csrf token placed it below the form. >>>>> >>>>> In my views file i m using the csrf exempt. >>>>> >>>>> I am still getting the network forbidden error. :( >>>>> >>>>> If you require more information i will share it :) >>>>> >>>>> On Thursday, 19 August 2010 06:49:02 UTC+5:30, chenge wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 8月18日, 上午4时29分, Rolando Espinoza La Fuente <dark...@gmail.com> >>>>>> wrote: >>>>>> > On Tue, Aug 17, 2010 at 8:01 AM, chenge <cheng...@gmail.com> >>>>>> wrote: >>>>>> > > I'm new to django. CSRF let me crazy! >>>>>> > >>>>>> > Can't use {% csrf_token %} tag inside your <form>'s? >>>>>> > >>>>>> > See csrf_exempt decorator:http://docs.**djangopr** >>>>>> oject.com/en/dev/ref/**contrib/**csrf/#exceptions<http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions> >>>>>> > >>>>>> > Regards, >>>>>> > >>>>>> > Rolando Espinoza La fuentewww.insophia.com >>>>>> >>>>>> Thanks, I decide try flask first, that seems simple. Maybe I'll try >>>>>> the exempt. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Django users" group. >>>>> To view this discussion on the web visit https://groups.google.com/d/* >>>>> *msg/django-users/-/**BQ5RpafQK3EJ<https://groups.google.com/d/msg/django-users/-/BQ5RpafQK3EJ> >>>>> . >>>>> To post to this group, send email to django...@googlegroups.com. >>>>> To unsubscribe from this group, send email to >>>>> django-users...@googlegroups.**com. >>>>> For more options, visit this group at http://groups.google.com/** >>>>> group/django-users?hl=en<http://groups.google.com/group/django-users?hl=en> >>>>> . >>>>> >>>> >>>> >>>> >>>> -- >>>> Yati Sagade >>>> >>>> Software Engineer at mquotient <http://www.mquotient.net/> >>>> <http://twitter.com/yati_itay> >>>> >>>> Twitter: @yati_itay <http://twitter.com/yati_itay> | Github: >>>> yati-sagade <https://github.com/yati-sagade> >>>> >>>> Organizing member of TEDx EasternMetropolitanBypass >>>> http://www.ted.com/tedx/**events/4933<http://www.ted.com/tedx/events/4933> >>>> https://www.facebook.com/**pages/TEDx-**EasternMetropolitanBypass/** >>>> 337763226244869<https://www.facebook.com/pages/TEDx-EasternMetropolitanBypass/337763226244869> >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django users" group. >>>> To post to this group, send email to django...@googlegroups.com. >>>> To unsubscribe from this group, send email to >>>> django-users...@googlegroups.**com. >>>> For more options, visit this group at http://groups.google.com/** >>>> group/django-users?hl=en<http://groups.google.com/group/django-users?hl=en> >>>> . >>>> >>> >>> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/django-users/-/zaZHJCPKDuAJ. > > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.