I understand that it would leave the view open to CSRF attack. That is the reason why I asked about "Also when you are doing Django projects and need to deal with JS then what do you do? I mean is there an alternative for JS in Django? ". I mean that whether there is a way to properly integrate JS with Django?
On Tuesday, May 13, 2014 1:44:08 AM UTC+5:30, Tom Evans wrote: > > On Mon, May 12, 2014 at 9:08 PM, Tom Evans > <teva...@googlemail.com<javascript:>> > wrote: > > On Mon, May 12, 2014 at 9:01 PM, Aseem Bansal > > <asmba...@gmail.com<javascript:>> > wrote: > >> Hi Sanjay > >> > >> I think you misunderstood a bit. The JS that I am talking about will > not be > >> inside the web pages of the project. The JS is supposed to be used as a > >> Bookmarklet in the web browser. I intend to use the bookmarklet for > sending > >> the current webpage's url to the app via a POST request. The app will > then > >> store the URL. > > > > The entire purpose of CSRF is to stop things like that from being > > possible. The bookmark makes a cross site request from the site you > > are currently on to your django site. > > > > In light of that, disable CSRF for that view. > > > > I should also mention that this would also leave that view wide open > to a CSRF attack. A malicious user who can make you execute javascript > - if you view a webpage they either control, or have injected > javascript in to (like a forum) - could then make your browser make > forged requests to your view, submitting whatever content or url that > they wanted to it, using your credentials. > > Cheers > > Tom > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/398a7bf4-61d7-40a9-b98a-0d68ebe6fa11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
