On Mon, May 12, 2014 at 9:08 PM, Tom Evans <tevans...@googlemail.com> wrote: > On Mon, May 12, 2014 at 9:01 PM, Aseem Bansal <asmbans...@gmail.com> wrote: >> Hi Sanjay >> >> I think you misunderstood a bit. The JS that I am talking about will not be >> inside the web pages of the project. The JS is supposed to be used as a >> Bookmarklet in the web browser. I intend to use the bookmarklet for sending >> the current webpage's url to the app via a POST request. The app will then >> store the URL. > > The entire purpose of CSRF is to stop things like that from being > possible. The bookmark makes a cross site request from the site you > are currently on to your django site. > > In light of that, disable CSRF for that view. >
I should also mention that this would also leave that view wide open to a CSRF attack. A malicious user who can make you execute javascript - if you view a webpage they either control, or have injected javascript in to (like a forum) - could then make your browser make forged requests to your view, submitting whatever content or url that they wanted to it, using your credentials. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFHbX1Kspq1%2B1EErgWo8P2id96F3C2_rJ9rC-Ts%2BQwPDG0QSjg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
