I'll chime in as opposed to forcing the cookie where not strictly
necessary. It makes caching harder, and means that many of the dumber
caching systems out there won't cache it at all (some mobile
operators, smaller ISPs in lower GDP countries, etc.). Pushing the
cookie to make AJAX easier seems es
On Feb 25, 9:49 am, Luke Plant wrote:
> Sorry, I forgot to continue this conversation.
>
> I'm quite happy to entertain the idea that the CSRF middleware should
> always set the CSRF cookie, but would like to know what other devs
> think.
>
> The main consequence I can think of is this:
>
> If a p
On Wed, 2011-02-23 at 15:23 -0800, Jonas Obrist wrote:
> Well writing a middleware in my app or decorating all views seems a
> little hacky/unclean to me too.
>
> In our specific use case, the django CMS the graceful degrading is
> done through the admin, our so called frontend editing is heavil
Well writing a middleware in my app or decorating all views seems a little
hacky/unclean to me too.
In our specific use case, the django CMS the graceful degrading is done
through the admin, our so called frontend editing is heavily javascript and
AJAX base, without HTML forms. therefore we h
On Wed, 2011-02-23 at 05:07 -0800, Jonas Obrist wrote:
> I beg to differ luke.
>
>
> Most of our AJAX POSTs we do are actually not a 'form'. Because we
> usually submit forms with 'normal' POST requests.
I was suggesting that normally you would encounter at least one normal
form before doing AJA
I beg to differ luke.
Most of our AJAX POSTs we do are actually not a 'form'. Because we usually
submit forms with 'normal' POST requests.
What would be so terrible in just setting the cookie always?
Jonas
--
You received this message because you are subscribed to the Google Groups
"Django
http://code.djangoproject.com/ticket/15354
2011/2/19 Luke Plant
> On Sat, 2011-02-19 at 12:00 +0100, Sayane wrote:
> > There's a problem with CSRF Protection and XHR requests. It works
> > perfectly if 'csrftoken' cookie has been set already. But what if it's
> > not?
> > Cookie with token will
On Sat, 2011-02-19 at 12:00 +0100, Sayane wrote:
> There's a problem with CSRF Protection and XHR requests. It works
> perfectly if 'csrftoken' cookie has been set already. But what if it's
> not?
> Cookie with token will be set only, if META["CSRF_COOKIE_USED"] is
> True [1]. It's set to True in f
There's a problem with CSRF Protection and XHR requests. It works perfectly
if 'csrftoken' cookie has been set already. But what if it's not?
Cookie with token will be set only, if META["CSRF_COOKIE_USED"] is True [1].
It's set to True in function get_token() [2]. get_token() is called in
CsrfRespo
