CSRF documentation problem

[benlbroussard]

The documentation for "Cross Site Request Forgery protection" found at ​http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ is both unclear and incorrect in the last paragraph before limitations where it states:

"The middleware tries to be smart about requests that come in via AJAX. Many JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header; these requests are detected and automatically not handled by this middleware. We can do this safely because, in the context of a browser, the header can only be added by using XMLHttpRequest, and browsers already implement a same-domain policy for XMLHttpRequest. (Note that this is not secure if you don't trust content within the same domain or subdomains.)"

It is true that the browsers have implemented a same-domain policy for XMLHttpRequest. The implicit statement is that the browser will only allow XMLHttpRequest requests from the same domain. This is, however, not true. Browsers will allow image, js file, css file, and AJAX requests from any domain to any domain. What it will not allow is the parsing of the AJAX response.

This means that the current CsrfMiddleware does not handle AJAX requests securely. It should validate a token for POST AJAX requests. It should fail if the token is not valid or doesn't exist.

[Luke Plant]

Cross-domain img, css etc. requests are not "XMLHttpRequest requests", and they are irrelevant because you cannot get the browser to set the X-Requested-With header for those requests. As for XMLHttpRequest itself, by looking at logs etc., I've verified that I cannot produce a cross-domain GET request or POST request using XMLHttpRequest (with the browsers I've tested at least). So this bug report appears to be invalid. If there are some browsers where you can use XMLHttpRequest to do a cross-domain request, please re-open, indicating which browsers.