Re: Proposal: Make CSRF token validation for other HTTP Methods (PUT, PATCH, DELETE) The Same as POST

Sun, 07 May 2017 09:43:29 -0700 

Thanks, Tom Christie. Now i understand why.

On Saturday, May 6, 2017 at 11:49:57 PM UTC+1, Osaetin Daniel wrote:
>
> I came across this issue, because i'm building a SPA with Vue and Django 
> Rest Framework as the backend.
>
> I'm using SessionAuthentication Which requires that the CSRF token must be 
> sent along with the data for HTTP methods that Change State on the Server 
> if not the request would be flagged as invalid, for POST requests it's okay 
> to send the CSRF token as part of the payload
>
> e.g
>
> {'foo': 'bar', 'csrfmiddlewaretoken': '....token'}
>
> But for other requests this doesn't work and you're required to set the 
> token in the request header to whatever 
> settings.CSRF_HEADER_NAME
>  
> is set to (By default it's "HTTP_X_CSRFTOKEN"). (This is what Django Rest 
> Framework currently does through the browse-able API)
>
> So i want to make a proposal to Elevate other HTTP methods, so the CSRF 
> token can be sent directly with the payload as "csrfmiddlewaretoken" like 
> you'll normally do for a POST request. The fallback to 
> "settings.CSRF_HEADER_NAME" would remain so old code that depends on that 
> behaviour does not break. This seems more consistent to me and also allows 
> Django support two ways of sending the CSRF token. (Either through the 
> header or in the payload directly)
>
> This is the link to the concerned code in github 
> https://github.com/django/django/blob/86de930f413e0ad902e11d78ac988e6743202ea6/django/middleware/csrf.py#L283-L303
>
> If this is a terrible Idea, I would like to know why POST requests are the 
> only methods that allows the CSRF token to be sent along with the payload 
> directly instead of setting the token in the Header.
>
> Thanks. 
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/1aa5bbf2-dd6d-4f13-a607-22218468869d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to