On Tue, May 13, 2014 at 6:14 PM, Aseem Bansal <asmbans...@gmail.com> wrote: > I understand that it would leave the view open to CSRF attack. That is the > reason why I asked about "Also when you are doing Django projects and need > to deal with JS then what do you do? I mean is there an alternative for JS > in Django? ". I mean that whether there is a way to properly integrate JS > with Django?
In what way is it integrated "improperly" currently? Django is a library which outputs text, normally HTML. What you put in the text is up to you. CSRF is designed to stop requests like the ones you are trying to make. There is no protection that can allow requests like yours, and disallow the naughty ones, because the naughty ones look just like the allowed ones. This is the purpose of the CSRF token, it prevents requests that are like form submissions from being submitted to the site unless the data was submitted from a page loaded by the site, which would supply a CSRF token. This token protects you from CSRF attacks, it guarantees that submissions are not forged. Now, you want to make submissions to your site from pages not loaded from the site, making it impossible to have a CSRF token provided, and so it cannot provide this guarantee. Therefore, there cannot be CSRF protection that allows those submissions and prevents forged ones. I can't make it much clearer than that I'm afraid - if it still isn't clear someone else will need to step in. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFHbX1JiyK%2BaffkvCe6iNxrSQNxabr2QAHCxPiu8HkfudSFCvQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
