Hi Voss,
i guess you are right ... it may not be related to CSRF-Protection at all.
Are you using the django development server? I have found some
references for '\x16\x03\x01' using google, e.g.
http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/
It seems that this is related to browsers that speak HTTPS to a
(misconfigured) HTTP server.
Can you verify that this happens also when using the django devserver on
port 8000?
Another thing you could try is to get rid of the is_ajax check.
In either case you should return a response for non-ajax requests also
... otherwise you will provoke a HTTP500 in these cases.
hendrik
On 06/07/2012 06:17 PM, voss wrote:
Hello Hendrik,
To simplify things and to do some tests, I started with disabling the
csrf protection. Here is my JS:
dojo.xhrPost( {
url: "/test/",
content: {details: JSON.stringify(details)},
load: function(response){
alert(response);
},
error: function(){
alert("error");
}
});
In views.py, I have:
@csrf_exempt
def new_session(request):
if request.is_ajax():
return HttpResponse('ok')
In theory, I should see the 'ok' alert, but, instead, I got "null".
The debug message shows:
[07/Jun/2012 10:31:06] code 400, message Bad request syntax
('\x16\x03\x01\x00\x8f\x01\x00\x00\x8b\x03\x01O\xd0\xc9:}m\x9e\x04\xbf_:$`\x96v\xca\x1b\x92\xb8\xc7?M\x0f\xbdc\x8e\xfb+\x84E\x8c?\x00\x00H\x00\xff\xc0')
[07/Jun/2012 10:31:06] "??O??:}m??_:$`?v????M?c??+?E??H??" 400 -
This error message looks similar to that before the csrf_exempt
decorator was added, which suggests to me that the problem may not be
in the csrf protection. Am I right? Any thoughts would be greatly
appreciated!
voss
On Monday, June 4, 2012 8:21:15 PM UTC-5, henzk wrote:
Hi Voss,
i forgot about django's CSRF protection.
You can use the csrf_exempt decorator on the view function to
disable django's CSRF protection - however, i wouldn't recommend that.
There is a script at
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
<https://docs.djangoproject.com/en/dev/ref/contrib/csrf/>
To use the script with dojo instead of jquery, you will need to
adapt it a little:
-copy the getCookie function to your code
then, every time you make a POST request to your application using
dojo.xhrPost, add this to the arguments object:
headers: {'X-CSRFToken': getCookie('csrftoken')}
If you are still getting HTTP 400 errors, verify that the request
looks sane in firebug and check that it contains a
X_HTTP_REQUESTED_WITH header set to XMLHttpRequest (but i am
pretty sure dojo adds this one automatically).
hendrik
Am Montag, 4. Juni 2012 18:33:21 UTC+2 schrieb voss:
Hi Hendrik,
I forgot to mention in my previous message that the debug
shows the following:
code 400, message Bad request syntax
("\x16\x03\x01\x00\x8b\x01\x00\x00\x87\x03\x01O\xcc\xd8\xc0\x18hZ\x7f\xa3h\xb9l\xaf\xdb\xfbp}(\xc1\xc6\xa5g\x18\xe5!\x87\xd4\xe2`_'\x90\x00\x00H\x00\xff\xc0")
Thank you!
voss
On Saturday, June 2, 2012 8:46:38 AM UTC-5, henzk wrote:
Hi,
i haven't tested the code and never used dojo before, but
sth. like
this should work:
var source1 = new dojo.dnd.Source("itemListNode");
var source2 = new dojo.dnd.Target("selectedListNode");
dojo.connect( source1, "onDndDrop",
function(source, nodes, copy, target){
//gather items and details
var details = [];
for( i=0; i < nodes.length; i++){
var item = this.getItem(nodes[i].id);
details.push(item.data);
}
//send details to server via AJAX POST request
dojo.xhrPost({
url: "/save_details/",
content: {details: JSON.stringify(details)},
// The success handler
load: function(response) {
alert('ok');
},
// The error handler
error: function() {
alert("error");
}
});
});
Explanation:
- changed 'item' to 'var item' ... without the 'var' item
will be
global, which is probably not what you want.
- to get around making multiple requests to the server(one
for each
dropped node), put the detail of each node in the details
array.
- then json-encode and send this array to your django view
(assumed to
be at '/save_details/')
- in the view, access the list as
json.loads(request.POST.get('details', '[]')) and place it
into
request.session
As mentioned, the code is completely untested.
Good luck!
Yours,
Hendrik Speidel
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
