Opened 4 years ago

Closed 4 years ago

#15501 closed (wontfix)

CSRF middleware does not handle REST api application correctly

Reported by: ksnabb Owned by: nobody
Component: HTTP handling Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The CSRF middleware does not work if the application is a strict RESTful api that returns JSON with GET requests and adds information with POST requests. This problem came with the upgrade to Django version 1.2.5

A solution would be to add 'application/json' and 'application/javascript' to the types that should return a response with a csrtoken cookie.


This is in the current csrf middleware:

_HTML_TYPES = ('text/html', 'application/xhtml+xml')

http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py?rev=15623

I did not find any good workarounds or other documentation about this so I report it here.

Change History (1)

comment:1 Changed 4 years ago by lrekucki

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

CsrfResponseMiddleware is deprecated. The correct way to handle this, is using CsrfViewMiddleware and adding the token as a cookie . See the blog post about 1.2.5 security release and it's errata

Note: See TracTickets for help on using tickets.
Back to Top