Hi Hendrik,
Thank you for your prompt reply. I really appreciate it!
Yes, I am using the django development server, and it is on port 8000. I,
too, read that the https can cause the '\x16\x03\x01' problem, but I don't
see how this can happen in my case because I did not create any https'.
Although it may not be csrf, do you think csrfmiddlewaretoken: '{{
csrf_token }}' could be the missing piece (see
http://stackoverflow.com/questions/9085068/django-jquery-get-to-post)? It
seems to make sense to me because {% csrf_token %} is required for a normal
post request. If so, how do I use it in dojo.xhrPost? I tried
dojo.xhrPost( {
url: "/test/",
content: {
details: JSON.stringify(details)
csrfmiddlewaretoken: '{{ csrf_token }}'
},
load: function(response){
alert(response);
},
error: function(){
alert("error");
}
});
, but it did not change anything. I also commented out the is_ajax line,
but I got the same debug message.
voss
On Thursday, June 7, 2012 11:32:14 AM UTC-5, henzk wrote:
>
> Hi Voss,
>
> i guess you are right ... it may not be related to CSRF-Protection at all.
> Are you using the django development server? I have found some references
> for '\x16\x03\x01' using google, e.g.
>
> http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/
>
> It seems that this is related to browsers that speak HTTPS to a
> (misconfigured) HTTP server.
>
> Can you verify that this happens also when using the django devserver on
> port 8000?
> Another thing you could try is to get rid of the is_ajax check.
> In either case you should return a response for non-ajax requests also ...
> otherwise you will provoke a HTTP500 in these cases.
>
> hendrik
>
>
> On 06/07/2012 06:17 PM, voss wrote:
>
> Hello Hendrik,
>
> To simplify things and to do some tests, I started with disabling the csrf
> protection. Here is my JS:
>
> dojo.xhrPost( {
> url: "/test/",
> content: {details: JSON.stringify(details)},
> load: function(response){
> alert(response);
> },
> error: function(){
> alert("error");
> }
> });
>
>
> In views.py, I have:
>
> @csrf_exempt
> def new_session(request):
> if request.is_ajax():
> return HttpResponse('ok')
>
>
> In theory, I should see the 'ok' alert, but, instead, I got "null". The
> debug message shows:
>
> [07/Jun/2012 10:31:06] code 400, message Bad request syntax
> ('\x16\x03\x01\x00\x8f\x01\x00\x00\x8b\x03\x01O\xd0\xc9:}m\x9e\x04\xbf_:$`\x96v\xca\x1b\x92\xb8\xc7?M\x0f\xbdc\x8e\xfb+\x84E\x8c?\x00\x00H\x00\xff\xc0')
> [07/Jun/2012 10:31:06] "??O??:}m??_:$`?v????M?c??+?E??H??" 400 -
>
> This error message looks similar to that before the csrf_exempt decorator
> was added, which suggests to me that the problem may not be in the csrf
> protection. Am I right? Any thoughts would be greatly appreciated!
>
> voss
>
>
> On Monday, June 4, 2012 8:21:15 PM UTC-5, henzk wrote:
>>
>> Hi Voss,
>>
>> i forgot about django's CSRF protection.
>> You can use the csrf_exempt decorator on the view function to disable
>> django's CSRF protection - however, i wouldn't recommend that.
>>
>> There is a script at
>> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
>> To use the script with dojo instead of jquery, you will need to adapt it
>> a little:
>>
>> -copy the getCookie function to your code
>>
>> then, every time you make a POST request to your application using
>> dojo.xhrPost, add this to the arguments object:
>>
>> headers: {'X-CSRFToken': getCookie('csrftoken')}
>>
>> If you are still getting HTTP 400 errors, verify that the request looks
>> sane in firebug and check that it contains a X_HTTP_REQUESTED_WITH header
>> set to XMLHttpRequest (but i am pretty sure dojo adds this one
>> automatically).
>>
>> hendrik
>>
>> Am Montag, 4. Juni 2012 18:33:21 UTC+2 schrieb voss:
>>>
>>> Hi Hendrik,
>>>
>>> I forgot to mention in my previous message that the debug shows the
>>> following:
>>>
>>> code 400, message Bad request syntax
>>> ("\x16\x03\x01\x00\x8b\x01\x00\x00\x87\x03\x01O\xcc\xd8\xc0\x18hZ\x7f\xa3h\xb9l\xaf\xdb\xfbp}(\xc1\xc6\xa5g\x18\xe5!\x87\xd4\xe2`_'\x90\x00\x00H\x00\xff\xc0")
>>>
>>> Thank you!
>>>
>>> voss
>>>
>>>
>>>
>>> On Saturday, June 2, 2012 8:46:38 AM UTC-5, henzk wrote:
>>>>
>>>> Hi,
>>>>
>>>> i haven't tested the code and never used dojo before, but sth. like
>>>> this should work:
>>>>
>>>> var source1 = new dojo.dnd.Source("itemListNode");
>>>> var source2 = new dojo.dnd.Target("selectedListNode");
>>>> dojo.connect( source1, "onDndDrop",
>>>> function(source, nodes, copy, target){
>>>> //gather items and details
>>>> var details = [];
>>>> for( i=0; i < nodes.length; i++){
>>>> var item = this.getItem(nodes[i].id);
>>>> details.push(item.data);
>>>> }
>>>> //send details to server via AJAX POST request
>>>> dojo.xhrPost({
>>>> url: "/save_details/",
>>>> content: {details: JSON.stringify(details)},
>>>> // The success handler
>>>> load: function(response) {
>>>> alert('ok');
>>>> },
>>>> // The error handler
>>>> error: function() {
>>>> alert("error");
>>>> }
>>>> });
>>>> });
>>>>
>>>> Explanation:
>>>>
>>>> - changed 'item' to 'var item' ... without the 'var' item will be
>>>> global, which is probably not what you want.
>>>> - to get around making multiple requests to the server(one for each
>>>> dropped node), put the detail of each node in the details array.
>>>> - then json-encode and send this array to your django view (assumed to
>>>> be at '/save_details/')
>>>> - in the view, access the list as
>>>> json.loads(request.POST.get('details', '[]')) and place it into
>>>> request.session
>>>>
>>>> As mentioned, the code is completely untested.
>>>>
>>>> Good luck!
>>>>
>>>> Yours,
>>>>
>>>> Hendrik Speidel
>>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>
>
On Thursday, June 7, 2012 11:32:14 AM UTC-5, henzk wrote:
>
> Hi Voss,
>
> i guess you are right ... it may not be related to CSRF-Protection at all.
> Are you using the django development server? I have found some references
> for '\x16\x03\x01' using google, e.g.
>
> http://wishmesh.com/2010/05/apache-logs-contains-x16x03x01-when-accessing-site-via-https/
>
> It seems that this is related to browsers that speak HTTPS to a
> (misconfigured) HTTP server.
>
> Can you verify that this happens also when using the django devserver on
> port 8000?
> Another thing you could try is to get rid of the is_ajax check.
> In either case you should return a response for non-ajax requests also ...
> otherwise you will provoke a HTTP500 in these cases.
>
> hendrik
>
>
> On 06/07/2012 06:17 PM, voss wrote:
>
> Hello Hendrik,
>
> To simplify things and to do some tests, I started with disabling the csrf
> protection. Here is my JS:
>
> dojo.xhrPost( {
> url: "/test/",
> content: {details: JSON.stringify(details)},
> load: function(response){
> alert(response);
> },
> error: function(){
> alert("error");
> }
> });
>
>
> In views.py, I have:
>
> @csrf_exempt
> def new_session(request):
> if request.is_ajax():
> return HttpResponse('ok')
>
>
> In theory, I should see the 'ok' alert, but, instead, I got "null". The
> debug message shows:
>
> [07/Jun/2012 10:31:06] code 400, message Bad request syntax
> ('\x16\x03\x01\x00\x8f\x01\x00\x00\x8b\x03\x01O\xd0\xc9:}m\x9e\x04\xbf_:$`\x96v\xca\x1b\x92\xb8\xc7?M\x0f\xbdc\x8e\xfb+\x84E\x8c?\x00\x00H\x00\xff\xc0')
> [07/Jun/2012 10:31:06] "??O??:}m??_:$`?v????M?c??+?E??H??" 400 -
>
> This error message looks similar to that before the csrf_exempt decorator
> was added, which suggests to me that the problem may not be in the csrf
> protection. Am I right? Any thoughts would be greatly appreciated!
>
> voss
>
>
> On Monday, June 4, 2012 8:21:15 PM UTC-5, henzk wrote:
>>
>> Hi Voss,
>>
>> i forgot about django's CSRF protection.
>> You can use the csrf_exempt decorator on the view function to disable
>> django's CSRF protection - however, i wouldn't recommend that.
>>
>> There is a script at
>> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
>> To use the script with dojo instead of jquery, you will need to adapt it
>> a little:
>>
>> -copy the getCookie function to your code
>>
>> then, every time you make a POST request to your application using
>> dojo.xhrPost, add this to the arguments object:
>>
>> headers: {'X-CSRFToken': getCookie('csrftoken')}
>>
>> If you are still getting HTTP 400 errors, verify that the request looks
>> sane in firebug and check that it contains a X_HTTP_REQUESTED_WITH header
>> set to XMLHttpRequest (but i am pretty sure dojo adds this one
>> automatically).
>>
>> hendrik
>>
>> Am Montag, 4. Juni 2012 18:33:21 UTC+2 schrieb voss:
>>>
>>> Hi Hendrik,
>>>
>>> I forgot to mention in my previous message that the debug shows the
>>> following:
>>>
>>> code 400, message Bad request syntax
>>> ("\x16\x03\x01\x00\x8b\x01\x00\x00\x87\x03\x01O\xcc\xd8\xc0\x18hZ\x7f\xa3h\xb9l\xaf\xdb\xfbp}(\xc1\xc6\xa5g\x18\xe5!\x87\xd4\xe2`_'\x90\x00\x00H\x00\xff\xc0")
>>>
>>> Thank you!
>>>
>>> voss
>>>
>>>
>>>
>>> On Saturday, June 2, 2012 8:46:38 AM UTC-5, henzk wrote:
>>>>
>>>> Hi,
>>>>
>>>> i haven't tested the code and never used dojo before, but sth. like
>>>> this should work:
>>>>
>>>> var source1 = new dojo.dnd.Source("itemListNode");
>>>> var source2 = new dojo.dnd.Target("selectedListNode");
>>>> dojo.connect( source1, "onDndDrop",
>>>> function(source, nodes, copy, target){
>>>> //gather items and details
>>>> var details = [];
>>>> for( i=0; i < nodes.length; i++){
>>>> var item = this.getItem(nodes[i].id);
>>>> details.push(item.data);
>>>> }
>>>> //send details to server via AJAX POST request
>>>> dojo.xhrPost({
>>>> url: "/save_details/",
>>>> content: {details: JSON.stringify(details)},
>>>> // The success handler
>>>> load: function(response) {
>>>> alert('ok');
>>>> },
>>>> // The error handler
>>>> error: function() {
>>>> alert("error");
>>>> }
>>>> });
>>>> });
>>>>
>>>> Explanation:
>>>>
>>>> - changed 'item' to 'var item' ... without the 'var' item will be
>>>> global, which is probably not what you want.
>>>> - to get around making multiple requests to the server(one for each
>>>> dropped node), put the detail of each node in the details array.
>>>> - then json-encode and send this array to your django view (assumed to
>>>> be at '/save_details/')
>>>> - in the view, access the list as
>>>> json.loads(request.POST.get('details', '[]')) and place it into
>>>> request.session
>>>>
>>>> As mentioned, the code is completely untested.
>>>>
>>>> Good luck!
>>>>
>>>> Yours,
>>>>
>>>> Hendrik Speidel
>>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-users/-/CWKY_xRFelAJ.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/zX59VNkLB-gJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
