CSRF with AJAX documentation is out-of-date
|Reported by:||Idan Gazit||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Following the release of Django 1.2.5, we issued new guidelines on using CSRF protection with AJAX requests: https://www.djangoproject.com/weblog/2011/feb/08/security/
In that release, we included a JS snippet showing how to properly set the CSRF token header on AJAX requests, which never made it into the docs.
In addition, the existing docs on using CSRF with AJAX are not as good as they could be. Right now, we mix together discussion of how to get the CSRF token and how to use it—breaking these out into logical sections would make the docs easier to read.
Because the changes I'm making touch on security-related issues, I'd really like several pairs of practiced eyes to go over it before we make a change.
Change History (15)
comment:6 Changed 6 years ago by
|Patch needs improvement:||set|
|Triage Stage:||Unreviewed → Accepted|
|Version:||1.3 → SVN|