Thanks for the explanation Tom. Really appreciate that. Your explanation is very clear. My question's focus is not. From the beginning I have focused on CSRF which might have taken the focus away from the real problem at hand.
The problem is that data needs to be passed from the browser's current tab to a particular URL. The data being the current URL. Other things like JavaScript and using POST are not part of the actual problem statement. It is just one implementation idea that I think can work. The problem left is that I need a way to authenticate as well. As authentication is handled through CSRF middleware hence my focus was there. The lack of clarity was in my understanding that a JS used a bookmarklet effectively becomes a JS on that particular website. The integration that I was talking about is some authentication framework which can work with both Django and JS to make this possible. Any libraries? I am at a loss of keywords to look for the libraries. I understand that it is still a question without concrete requirements but please share if any ideas or if I simply need to work it out myself. Am I looking at the problem from the incorrect prospective? I mean should I try to look at the browser extensions for this functionality? Try to create one myself? On Tuesday, May 13, 2014 10:54:25 PM UTC+5:30, Tom Evans wrote: > > On Tue, May 13, 2014 at 6:14 PM, Aseem Bansal > <asmba...@gmail.com<javascript:>> > wrote: > > I understand that it would leave the view open to CSRF attack. That is > the > > reason why I asked about "Also when you are doing Django projects and > need > > to deal with JS then what do you do? I mean is there an alternative for > JS > > in Django? ". I mean that whether there is a way to properly integrate > JS > > with Django? > > In what way is it integrated "improperly" currently? Django is a > library which outputs text, normally HTML. What you put in the text is > up to you. > > CSRF is designed to stop requests like the ones you are trying to > make. There is no protection that can allow requests like yours, and > disallow the naughty ones, because the naughty ones look just like the > allowed ones. > > This is the purpose of the CSRF token, it prevents requests that are > like form submissions from being submitted to the site unless the data > was submitted from a page loaded by the site, which would supply a > CSRF token. This token protects you from CSRF attacks, it guarantees > that submissions are not forged. > > Now, you want to make submissions to your site from pages not loaded > from the site, making it impossible to have a CSRF token provided, and > so it cannot provide this guarantee. > Therefore, there cannot be CSRF protection that allows those > submissions and prevents forged ones. > > I can't make it much clearer than that I'm afraid - if it still isn't > clear someone else will need to step in. > > Cheers > > Tom > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7f0c5726-8b72-49b4-91be-4b7a9b9e091a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
