CSRF documentation problem
|Reported by:||benlbroussard||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The documentation for "Cross Site Request Forgery protection" found at http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ is both unclear and incorrect in the last paragraph before limitations where it states:
It is true that the browsers have implemented a same-domain policy for XMLHttpRequest. The implicit statement is that the browser will only allow XMLHttpRequest requests from the same domain. This is, however, not true. Browsers will allow image, js file, css file, and AJAX requests from any domain to any domain. What it will not allow is the parsing of the AJAX response.
This means that the current CsrfMiddleware does not handle AJAX requests securely. It should validate a token for POST AJAX requests. It should fail if the token is not valid or doesn't exist.