id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26904	CSRF middleware ignores X-CSRFToken if token not in cookies	mrmagooey	nobody	"This might be desired behaviour, but currently it seems that POST `X-CSRFToken` headers are ignored?

It seems that this line:

https://github.com/django/django/blob/master/django/middleware/csrf.py#L170

will set the `csrf_token` to `None` if the token is not available in the Cookies header, and then this line:

https://github.com/django/django/blob/master/django/middleware/csrf.py#L250

will cause the middleware to return early, and never check the value of `X-CSRFToken` header. 

There is a comment around line 250 that this is desired behaviour, so I'm a bit confused. My python/django is a little rusty, so apologies if this is my bad."	Uncategorized	closed	CSRF	1.9	Normal	needsinfo	csrf		Unreviewed	0	0	0	0	0	0