If you are access to the form (meaning you are in the dom), and if you
don't mind using jQuery, there is the even simpler:
<script type="text/javascript">
> $.post("/some/url", $("#someform").serialize(), function(data){
> // Do whatever with data
> })
$("#someform").serialize() automatically adds the crsf_token which should
be contained in your form. This makes a lot easier to validate your form
via AJAX.
Cheers,
Nicolas Patry
On Monday, September 24, 2012 4:00:02 PM UTC+2, jondykeman wrote:
>
> +1 For doing it right from the beginning.
>
> I was tempted to disable when trying to deal with AJAX especially early
> on. Below is some code with jQuery so that you won't need to manually feed
> the token through your AJAX.
>
> <script type="text/javascript">
> jQuery(document).ajaxSend(function(event, xhr, settings) {
> function getCookie(name) {
> var cookieValue = null;
> if (document.cookie && document.cookie != '') {
> var cookies = document.cookie.split(';');
> for (var i = 0; i < cookies.length; i++) {
> var cookie = jQuery.trim(cookies[i]);
> // Does this cookie string begin with the name we want?
> if (cookie.substring(0, name.length + 1) == (name + '=')) {
> cookieValue =
> decodeURIComponent(cookie.substring(name.length + 1));
> break;
> }
> }
> }
> return cookieValue;
> }
> function sameOrigin(url) {
> // url could be relative or scheme relative or absolute
> var host = document.location.host; // host + port
> var protocol = document.location.protocol;
> var sr_origin = '//' + host;
> var origin = protocol + sr_origin;
> // Allow absolute or scheme relative URLs to same origin
> return (url == origin || url.slice(0, origin.length + 1) == origin
> + '/') ||
> (url == sr_origin || url.slice(0, sr_origin.length + 1) ==
> sr_origin + '/') ||
> // or any other URL that isn't scheme relative or absolute i.e
> relative.
> !(/^(\/\/|http:|https:).*/.test(url));
> }
> function safeMethod(method) {
> return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
> }
>
> if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
> xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
> }
> });
> </script>
>
> On Monday, September 24, 2012 7:07:09 AM UTC-6, Mulianto wrote:
>>
>> hi, better use csrf for your application security.
>>
>> it is easier to disable it, but security for your app what you will think
>> after it running later.
>>
>> do it correctly now or later .
>>
>> Rgds,
>>
>> Mulianto
>>
>> On Mon, Sep 24, 2012 at 2:56 PM, yati sagade <yati....@gmail.com> wrote:
>>
>>> Remove {% csrf_token %} from the form AND leave the csrf_exempt
>>> decorator as it is in the view. Everyone faces challenges while learning a
>>> new thing. The key is to face it head on and not to move to somewhere you
>>> think there will be no challenges :)
>>>
>>>
>>> On Mon, Sep 24, 2012 at 1:14 AM, puneet loya <punee...@gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> I was trying to disable csrf . I am calling post using ajax.
>>>>
>>>> I have used the csrf token placed it below the form.
>>>>
>>>> In my views file i m using the csrf exempt.
>>>>
>>>> I am still getting the network forbidden error. :(
>>>>
>>>> If you require more information i will share it :)
>>>>
>>>> On Thursday, 19 August 2010 06:49:02 UTC+5:30, chenge wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 8月18日, 上午4时29分, Rolando Espinoza La Fuente <dark...@gmail.com>
>>>>> wrote:
>>>>> > On Tue, Aug 17, 2010 at 8:01 AM, chenge <cheng...@gmail.com> wrote:
>>>>> > > I'm new to django. CSRF let me crazy!
>>>>> >
>>>>> > Can't use {% csrf_token %} tag inside your <form>'s?
>>>>> >
>>>>> > See csrf_exempt decorator:http://docs.**
>>>>> djangoproject.com/en/dev/ref/**contrib/csrf/#exceptions<http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions>
>>>>>
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>> > Rolando Espinoza La fuentewww.insophia.com
>>>>>
>>>>> Thanks, I decide try flask first, that seems simple. Maybe I'll try
>>>>> the exempt.
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Django users" group.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msg/django-users/-/BQ5RpafQK3EJ.
>>>> To post to this group, send email to django...@googlegroups.com.
>>>> To unsubscribe from this group, send email to
>>>> django-users...@googlegroups.com.
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/django-users?hl=en.
>>>>
>>>
>>>
>>>
>>> --
>>> Yati Sagade
>>>
>>> Software Engineer at mquotient <http://www.mquotient.net/>
>>> <http://twitter.com/yati_itay>
>>>
>>> Twitter: @yati_itay <http://twitter.com/yati_itay> | Github:
>>> yati-sagade<https://github.com/yati-sagade>
>>>
>>> Organizing member of TEDx EasternMetropolitanBypass
>>> http://www.ted.com/tedx/events/4933
>>>
>>> https://www.facebook.com/pages/TEDx-EasternMetropolitanBypass/337763226244869
>>>
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To post to this group, send email to django...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> django-users...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/django-users?hl=en.
>>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-users/-/zaZHJCPKDuAJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
