Re: Cross Site Request Forgery (csrf) via POST / JQuery

I'm not sure if you ever solved this, but the provided code didn't work
with jquery 1.5.0 for me (though it does with 1.4.4 and 1.5.1).

Maybe this is what you are observing.

Hope this helps!
Casey

On 02/22/2011 08:30 PM, gorans wrote:
> Hi
>
> I'm using Django's CSRFViewMiddleware and am making a POST request in
> a page (using JQuery) in the form of:
>
> $.post('{% url posted_to_wall %}', {
> network: 'FBK',
> action_type: 'feed',
> effect: 1
> });
>
> In order to satisfy the csrf_token check, I have implemented the
> instructions from the Django docs: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
> (with some tweaks to only run the csrf on POST and not GET)
>
> $('html').ajaxSend(function(event, xhr, settings) {
> xhr.setRequestHeader("x-testing1", 'testme1');
> function getCookie(name) {
> var cookieValue = null;
> if (document.cookie&& document.cookie != '') {
> var cookies = document.cookie.split(';');
> // optimise this!
> for (var i = 0; i< cookies.length; i++) {
> var cookie = jQuery.trim(cookies[i]);
> // Does this cookie string begin with the name we
> want?
> if (cookie.substring(0, name.length + 1) == (name +
> '=')) {
> cookieValue =
> decodeURIComponent(cookie.substring(name.length + 1));
> //console.log('cookie is ' + cookieValue);
> break;
> }
> }
> }
> return cookieValue;
> }
>
> //console.log(/^http:.*/.test(settings.url));
>
> if (settings.type == 'POST') {
> if (!(/^http:.*/.test(settings.url) || /
> ^https:.*/.test(settings.url))) {
> // Only send the token to relative URLs i.e. locally.
> // console.log('we\'re local ajax');
> xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
> }
> }
> });
>
> However, the X-CSRFToken request is not being set by the command
> xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
>
> I have tried on both Chrome 11.0.672.2 dev and Firefox 4.0b11
>
> I have worked around the issue by adding csrfmiddlewaretoken: $
> ('input[name|="csrfmiddlewaretoken"]').attr('value') to my POST data,
> but would prefer to have it all done with the .ajaxSend method
> presented in the Django Docs.
>
> Does anyone have any suggestions as to why the xhr.setRequestHeader()
> doesn't work?
>
> Thanks is advance
>
> Goran!
>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.