Opened 9 years ago
Closed 9 years ago
#26904 closed Uncategorized (needsinfo)
CSRF middleware ignores X-CSRFToken if token not in cookies
Description ¶
This might be desired behaviour, but currently it seems that POST X-CSRFToken
headers are ignored?
It seems that this line:
https://github.com/django/django/blob/master/django/middleware/csrf.py#L170
will set the csrf_token
to None
if the token is not available in the Cookies header, and then this line:
https://github.com/django/django/blob/master/django/middleware/csrf.py#L250
will cause the middleware to return early, and never check the value of X-CSRFToken
header.
There is a comment around line 250 that this is desired behaviour, so I'm a bit confused. My python/django is a little rusty, so apologies if this is my bad.
Change History (1)
comment:1 by , 9 years ago
Component: | Uncategorized → CSRF |
---|---|
Resolution: | → needsinfo |
Status: | new → closed |
Did you read the documentation for how CSRF protection works? It's not clear to me if this query belongs here (what's the bug?) or if it's more of a usage question, in which case see TicketClosingReasons/UseSupportChannels.