Yes.
Look at the HTTP Headers.
Just in case you need to read the docs on 1.2.5 which identified the
CSRF AJAX issue.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Also looking at the request in firebug you can see the 'X-CSRFToken'
needs to be added as an attribute with the javascript you use.
This is not labour intensive and i was able to do a grep to find and
replace in my files to make them compatible.
Here is the required code in prototype. Could be adapted to the
framework of your choice.
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i].strip();
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
function requestPage(event) {
var element = event;//event.element();
var url = '/'+element.identify()+'/';
new Ajax.Updater('content', url, {
method: 'post',
requestHeaders: {'X-CSRFToken':getCookie('csrftoken') },
});
}
On Fri, Apr 8, 2011 at 6:49 PM, Vincent den Boer <vincent@shishkabab.net> wrote:
> We have a site with a lot of static HTML pages and a few Django pages. Dajaxice
> is used on both the static and Django pages to check whether the user is logged
> in and show the login status to the user. The problem is that since the user
> will typically visit the HTML pages first, the user will not have a CSRF cookie
> stored when the first AJAX request is made and Django rejects the request. Is
> there any elegant way to solve this? I've now disabled CSRF protection for all
> AJAX requests, which is not a problem right now since we don't do anything
> dangerous or send sensitive data with AJAX, but could become risk in the future.
>
> Kind regards,
> Vincent
>
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment