Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#27396 closed Cleanup/optimization (worksforme)

Docs: send POST request on base.html does not mention {{ csrf_token }}

Reported by: Ramin Farajpour Cami Owned by: nobody
Component: Documentation Version: 1.10
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi,

Have a look at the section "AJAX " in this documentation page:

https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax

It does not mention the highly relevantcsrf_toeken on meta tag on base.html I think it should.

<meta content="{{ csrf_token }}" name='csrfmiddlewaretoken' />

many case there is use AJAX on root path http://127.0.0.1 this action

urls.py:

url(r'^$', Index , name='Index'),

base.html

<!DOCTYPE html>
<html lang="en">
<head>
    <link rel="stylesheet" href="style.css" />
    <title>{% block title %}My amazing site{% endblock %}</title>
</head>

<body>
    <div id="sidebar">
        {% block sidebar %}
        <ul>
            <li><a href="/">Home</a></li>
            <li><a href="/blog/">Blog</a></li>
        </ul>
        {% endblock %}
    </div>

    <div id="content">
        {% block content %}{% endblock %}
    </div>
</body>
</html>

index.html

{% extends "base.html" %}

{% block title %}{{ section.title }}{% endblock %}

{% block content %}
<h1>{{ section.title }}</h1>

{% endblock %}

now when action index return render , now if users use AJAX on base.html (for example : check session permission on use javascript on page base.html ) howevery this page nothing cookie set csrf_token for send to server side ,

there is 2 way :
1 - use {% csrf_token %} , this create input tag on base.html (this is not good )
2 - use meta tag (<meta content="{{ csrf_token }}" name='csrfmiddlewaretoken' />)

i use 2 , and work it great ,

Change History (8)

comment:1 by Aymeric Augustin, 8 years ago

It's unclear to me how declaring this <meta> tag causes the CSRF token to be added to AJAX requests.

Are you using JavaScript code to extract it from there and add it to AJAX requests?

Or is this a behavior of <meta> tags that I'm not familiar with?

If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?

in reply to:  1 ; comment:2 by Ramin Farajpour Cami, 8 years ago

Replying to Aymeric Augustin:

It's unclear to me how declaring this <meta> tag causes the CSRF token to be added to AJAX requests.

Are you using JavaScript code to extract it from there and add it to AJAX requests?

Or is this a behavior of <meta> tags that I'm not familiar with?

If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?

Hi ,

please look this ,

http://api.rubyonrails.org/classes/ActionView/Helpers/CsrfHelper.html

1 - go to http://www.bugjoo.ir/ first if you use chrome plz press (ctrl+F5)
2- you see render error
3- please sniff request AJAX (session/current)

you see like this,

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Cookie:__cfduid=d1b7d99024046b0a11e455b195c55783e1477636721
Host:www.bugjoo.ir
Pragma:no-cache
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

there isn't csrf_token on cookie,

Last edited 8 years ago by Ramin Farajpour Cami (previous) (diff)

in reply to:  2 comment:3 by Ramin Farajpour Cami, 8 years ago

Replying to Ramin Farajpour Cami:

Replying to Aymeric Augustin:

It's unclear to me how declaring this <meta> tag causes the CSRF token to be added to AJAX requests.

Are you using JavaScript code to extract it from there and add it to AJAX requests?

Or is this a behavior of <meta> tags that I'm not familiar with?

If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?

Hi ,

please look this ,

http://api.rubyonrails.org/classes/ActionView/Helpers/CsrfHelper.html

1 - go to http://www.bugjoo.ir/ first if you use chrome plz press (ctrl+shift+n)
2- you see render error
3- please sniff request AJAX (session/current)

you see like this,

Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:0
Cookie:__cfduid=d1b7d99024046b0a11e455b195c55783e1477636721
Host:www.bugjoo.ir
Origin:http://www.bugjoo.ir
Referer:http://www.bugjoo.ir/
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
X-CSRFToken:null
X-Requested-With:XMLHttpRequest

there isn't csrf_token on X-CSRFToken,

Last edited 8 years ago by Ramin Farajpour Cami (previous) (diff)

comment:4 by Tim Graham, 8 years ago

Summary: Docs: send POST request on base.html does not mention {{ csrf_toeken }}Docs: send POST request on base.html does not mention {{ csrf_token }}

Similar to Aymeric, I'm not sure what behavior you're describing or what documentation should be added. Could you offer a patch to explain it?

comment:5 by Ramin Farajpour Cami, 8 years ago

Hi Tim,

i going to more info for you first time you should sure Afterwards patch,

my means of this ticket ,

def index(req):
   return render(req,'index.html')

and index.html extend with base.html , when render index.html both index.html and base.html handel on browser, now if users use AJAX on base.html in i see on django csrf_token can not handel on base.html , do you think i am mistake please clarification to me,because i see behavior of django ,

rails create meta csrf for layout.html (in django : base.html),

comment:6 by Aymeric Augustin, 8 years ago

Resolution: worksforme
Status: newclosed

Your use case is documented here: https://docs.djangoproject.com/en/1.10/ref/csrf/#unprotected-view-needs-the-csrf-token

Django doesn't ship JavaScript code that would take advantage the <meta> tag you're describing so there's no use describing that (except if it's a built-in behavior in browsers, which is why I asked for evidence of that behavior, because I'd be surprised if it existed).

comment:7 by Ramin Farajpour Cami, 8 years ago

Hi Aymeric,

but this is not good, Unprotected csrf token, i test now work it, but if csrf token is important for users on base.html for one request of AJAX do you have solution?

Thanks,
Ramin

Last edited 8 years ago by Ramin Farajpour Cami (previous) (diff)

comment:8 by Aymeric Augustin, 8 years ago

You need two things:

  1. Create a CSRF token by accessing it. (That will cause the token to be automatically sent in a cookie.)
  2. Get this token from JavaScript. (The most reliable is to look it up from the cookie rather than the DOM.)

I usually solve 1. with a trivial middleware:

class SendCsrfCookie:
    """
    Send a CSRF cookie with every request.

    Any page could trigger an AJAX POST request.

    """
    def process_request(self, request):
        csrf.get_token(request)

and 2. with the method described in the documentation.

I'm having a hard time following your comments. As far as I can tell, you're proposing something for 2. which doesn't work at all but accidentally triggers 1. Then something else makes 2. work in your project. I don't think that makes sense and that's why I'm rejecting the proposal.

We might want to document the middleware technique.

Last edited 8 years ago by Aymeric Augustin (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top