Opened 7 years ago
Last modified 3 years ago
#27534 closed Cleanup/optimization
Add CSRF_COOKIE_HTTP_ONLY note to CSRF AJAX docs — at Initial Version
| Reported by: | Andrew Charles | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
https://docs.djangoproject.com/en/dev/ref/csrf/#ajax
There should be a note in the CSRF AJAX docs that the CSRF_COOKIE_HTTP_ONLY setting will prevent non-safe ajax calls from working (if using the js provided). It should note that you have to include the csrf token via the template tag {% csrf_token %}, and update the js with something like this:
var csrftoken = getCookie('csrftoken'); if (csrftoken === null) { csrftoken = $('input[name="csrfmiddlewaretoken"]').val(); if (csrftoken === null) { console.log('No csrf token'); } }
This is my first Django issue/ticket, sorry if I missed anything.
Note:
See TracTickets
for help on using tickets.