id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
9559	CSRFMiddleware should strip POST dat instead of showing the user an error message if a forgery is detected	Zain Memon	nobody	"If a page receives a POST that doesn't contain the 'csrfmiddlwaretoken' variable, it shows the following message: ""Cross Site Request Forgery detected. Request aborted.""

Instead of showing the user this message, I propose just stripping out the POST data. That could help improve user experience in the case of when a site outside your control is redirecting to you. 

For example; if a user is paying you via Paypal web payments, they get redirected back to your website at the end. During this step, Paypal POSTs some (non-critical) information. At this point, the CSRF middleware shows the user an error. As a result, it is impossible to use the CSRF Middleware on a website that accepts paypal web payments. 

The patch I have attached merely sets request.POST = [] instead of giving the user an HttpResponseForbidden message. "	Uncategorized	closed	CSRF	1.0	Normal	invalid	csrf, csrfmiddleware	glennfmaynard@…	Design decision needed	1	0	0	1	0	0