Opened 14 years ago
Closed 14 years ago
#15501 closed (wontfix)
CSRF middleware does not handle REST api application correctly
| Reported by: | Kristoffer Snabb | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.2 |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The CSRF middleware does not work if the application is a strict RESTful api that returns JSON with GET requests and adds information with POST requests. This problem came with the upgrade to Django version 1.2.5
A solution would be to add 'application/json' and 'application/javascript' to the types that should return a response with a csrtoken cookie.
This is in the current csrf middleware:
_HTML_TYPES = ('text/html', 'application/xhtml+xml')
http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py?rev=15623
I did not find any good workarounds or other documentation about this so I report it here.
Note:
See TracTickets
for help on using tickets.
CsrfResponseMiddleware is deprecated. The correct way to handle this, is using CsrfViewMiddleware and adding the token as a cookie . See the blog post about 1.2.5 security release and it's errata