id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 11566 CSRF documentation problem benlbroussard nobody "The documentation for ""Cross Site Request Forgery protection"" found at http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ is both unclear and incorrect in the last paragraph before limitations where it states: ""The middleware tries to be smart about requests that come in via AJAX. Many JavaScript toolkits send an ""X-Requested-With: XMLHttpRequest"" HTTP header; these requests are detected and automatically not handled by this middleware. We can do this safely because, in the context of a browser, the header can only be added by using XMLHttpRequest, and browsers already implement a same-domain policy for XMLHttpRequest. (Note that this is not secure if you don't trust content within the same domain or subdomains.)"" It is true that the browsers have implemented a same-domain policy for XMLHttpRequest. The implicit statement is that the browser will only allow XMLHttpRequest requests from the same domain. This is, however, not true. Browsers will allow image, js file, css file, and AJAX requests from any domain to any domain. What it will not allow is the parsing of the AJAX response. This means that the current CsrfMiddleware does not handle AJAX requests securely. It should validate a token for POST AJAX requests. It should fail if the token is not valid or doesn't exist." closed Documentation 1.0 invalid Unreviewed 0 0 0 0 0 0