I have got the jQuery that does the ajaxSetup. However the problem is
when #csrfmiddlewaretoken isn't on the page. My jQuery is as the
Django documentation suggests which is to read the cookie value which
is meant to be set at every request.
If the user hasn't visited a page that has #csrfmiddlewaretoken on it
then there is also no cookie, in IE only.
I can solve my issue by putting {% csrf_token %} on every page of the
web site but something is telling me there is a deeper problem.
On Mar 9, 2:12 pm, krzysiekpl <krzysie...@gmail.com> wrote:
> Did you try add custom header X-CSRFToken ? Try this solution if youre
> using jquery
>
> $.ajaxSetup({
> beforeSend: function(xhr, settings) {
> if (!(/^http:.*/.test(settings.url) || /
> ^https:.*/.test(settings.url))) {
> // Only send the token to relative URLs i.e. locally.
> xhr.setRequestHeader("X-CSRFToken",
> $("#csrfmiddlewaretoken").val());
> }
> }
> });
>
> http://www.djangoproject.com/weblog/2011/feb/08/security/
>
> On 9 Mar, 14:59, cootetom <coote...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I am experiencing some off behaviour with CSRF but only in IE
> > browsers. Using Django 1.2.5 (final).
>
> > I have a page that has no form and no use of {% csrf_token %} but it
> > does make a POST request using JavaScript. I have implemented the
> > jQuery code to grab the CSRF cookie value for all AJAX requests. The
> > strange thing is that in IE browsers there is no CSRF cookie but in
> > all other browsers, on the same page that cookie exists. So IE
> > browsers get 403 for AJAX requests and other browsers work just fine.
>
> > I'm just using the django.middleware.csrf.CsrfViewMiddleware
> > middleware.
>
> > Here is the scenario to replicate this:
>
> > 1. Visit a page that does have a form and so does have a {% csrf_token
> > %}
> > 2. Move onto a page that doesn't make use of {% csrf_token %} but does
> > still do a JavaScript POST. The JavaScript POST will work this time
> > around.
> > 3. Close the web browser down, re-open it but go directly to the web
> > page that doesn't use {% csrf_token %} but does make a JavaScript
> > POST. This will now fail as no cookie has been set for CSRF.
>
> > The documentation says the cookie is set for every request so I don't
> > understand this?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
