Opened 7 years ago

Closed 7 years ago

#15501 closed (wontfix)

CSRF middleware does not handle REST api application correctly

Reported by: Kristoffer Snabb Owned by: nobody
Component: HTTP handling Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


The CSRF middleware does not work if the application is a strict RESTful api that returns JSON with GET requests and adds information with POST requests. This problem came with the upgrade to Django version 1.2.5

A solution would be to add 'application/json' and 'application/javascript' to the types that should return a response with a csrtoken cookie.

This is in the current csrf middleware:

_HTML_TYPES = ('text/html', 'application/xhtml+xml')

I did not find any good workarounds or other documentation about this so I report it here.

Change History (1)

comment:1 Changed 7 years ago by Łukasz Rekucki

Resolution: wontfix
Status: newclosed

CsrfResponseMiddleware is deprecated. The correct way to handle this, is using CsrfViewMiddleware and adding the token as a cookie . See the blog post about 1.2.5 security release and it's errata

Note: See TracTickets for help on using tickets.
Back to Top