Proposal: Make CSRF token validation for other HTTP Methods (PUT, PATCH, DELETE) The Same as POST

[Osaetin Daniel]

I came across this issue, because i'm building a SPA with Vue and Django 
Rest Framework as the backend.

I'm using SessionAuthentication Which requires that the CSRF token must be 
sent along with the data for HTTP methods that Change State on the Server 
if not the request would be flagged as invalid, for POST requests it's okay 
to send the CSRF token as part of the payload

e.g

{'foo': 'bar', 'csrfmiddlewaretoken': '....token'}

But for other requests this doesn't work and you're required to set the 
token in the request header to whatever 
settings.CSRF_HEADER_NAME
 
is set to (By default it's "HTTP_X_CSRFTOKEN"). (This is what Django Rest 
Framework currently does through the browse-able API)

So i want to make a proposal to Elevate other HTTP methods, so the CSRF 
token can be sent directly with the payload as "csrfmiddlewaretoken" like 
you'll normally do for a POST request. The fallback to 
"settings.CSRF_HEADER_NAME" would remain so old code that depends on that 
behaviour does not break. This seems more consistent to me and also allows 
Django support two ways of sending the CSRF token. (Either through the 
header or in the payload directly)

This is the link to the concerned code in github 
https://github.com/django/django/blob/86de930f413e0ad902e11d78ac988e6743202ea6/django/middleware/csrf.py#L283-L303

If this is a terrible Idea, I would like to know why POST requests are the 
only methods that allows the CSRF token to be sent along with the payload 
directly instead of setting the token in the Header.

Thanks. 



-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/ad22ae61-7249-4aa4-98ba-39cc95e8222b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.