Opened 3 years ago

Closed 3 years ago

#15501 closed (wontfix)

CSRF middleware does not handle REST api application correctly

Reported by: ksnabb Owned by: nobody
Component: HTTP handling Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


The CSRF middleware does not work if the application is a strict RESTful api that returns JSON with GET requests and adds information with POST requests. This problem came with the upgrade to Django version 1.2.5

A solution would be to add 'application/json' and 'application/javascript' to the types that should return a response with a csrtoken cookie.

This is in the current csrf middleware:

_HTML_TYPES = ('text/html', 'application/xhtml+xml')

I did not find any good workarounds or other documentation about this so I report it here.

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by lrekucki

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

CsrfResponseMiddleware is deprecated. The correct way to handle this, is using CsrfViewMiddleware and adding the token as a cookie . See the blog post about 1.2.5 security release and it's errata

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.