Ajax CSRF example doesn't work as documented

[Tim Graham]

The jQuery example on the 1.2.5 release notes page uses $("#csrfmiddlewaretoken") but {% csrf_token %} doesn't appear to render with an ID attribute. $("input[name=csrfmiddlewaretoken]") works for me.

[Luke Plant]

Accepted - this is a confusion from the docs for 1.1: ​http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/#ajax . I'm not sure this is the best solution, as it requires having a form on the page for it to work.

In 1.1, the CSRF response middleware was the recommended method, and it inserted an input tag with an id attribute. In 1.2, the response middleware is deprecated, and the CSRF template tag (the recommended method) does not insert an input tag with an id attribute (for reasons of HTML validity - it would be much harder to ensure that only one input has an id attribute, and two with the same id is invalid HTML).

For purposes of javascript with 1.2 and later, I would recommend the cookie method that is found in the docs for trunk: ​http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax because this will work even if there is no form on the page. But the code is significantly longer due to the need to parse cookies. This method will not work for 1.1.

So we need the blog announcement to be updated to have both methods. The 1.2.5 release notes in svn need to be updated to have the method that works for 1.2.X. We don't appear to have any 1.1.4 release notes in svn for some reason (or 1.1.3).

[Tim Graham]

Fixed in commits for ticket #15259.