#15284 closed (fixed)
CSRF/Ajax/jQuery example could break other site JS
Reported by: | LukeMaurer | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.2 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The example given for setting up jQuery to pass the CSRF token in Ajax requests (http://docs.djangoproject.com/en/1.2/ref/contrib/csrf/#ajax) has a problem: If the site already uses $.ajaxSetup({beforeSend: ...})
for other processing, this code will clobber that other handler (or vice versa).
The jQuery docs suggest using $.ajaxSend()
and friends for setting up global callbacks, rather than $.ajaxSetup()
, I suspect for this reason.
At any rate, using jQuery's suggestion would make the example look like:
$.ajaxSend(function(event, xhr, settings) { function getCookie(name) { var cookieValue = null; if (document.cookie && document.cookie != '') { var cookies = document.cookie.split(';'); for (var i = 0; i < cookies.length; i++) { var cookie = jQuery.trim(cookies[i]); // Does this cookie string begin with the name we want? if (cookie.substring(0, name.length + 1) == (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue; } if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // Only send the token to relative URLs i.e. locally. xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); } });
(where only the outer function call and the signature of the callback have changed)
Change History (7)
comment:1 by , 14 years ago
milestone: | → 1.3 |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 14 years ago
comment:6 by , 14 years ago
The example code is broken: $.ajaxSend does not exist.
I use instead:
$(document).ajaxSetup(…)
I was aware of that problem with beforeSend, but I hadn't realised that you could actually alter the XHR request in ajaxSend. This is potentially fragile (the docs only give examples of reading the XHR object, not altering it), but it seems unlikely to break, so I agree that we should change this.