Ajax CSRF protection doesn't apply to PUT or DELETE requests
|Reported by:||Brodie Rao||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
The CSRFViewMiddleware only does CSRF checks for POST requests. It's not uncommon to do PUT and DELETE requests from Ajax. Now that the middleware also checks Ajax requests, we should probably check those request methods as well.
One tricky thing is extracting form data for PUT and DELETE requests. We don't populate request.POST for those methods, so we would either have to add something to get them out of raw_post_data, or require X-CSRFToken to be set for PUT/DELETE.
Change History (8)
comment:1 Changed 6 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Accepted|