Opened 7 years ago
Closed 7 years ago
#27763 closed Cleanup/optimization (needsinfo)
Docs: check invalid csrftoken on CSRF_FAILURE_VIEW
| Reported by: | Ramin Farajpour Cami | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi,
settings.CSRF_FAILURE_VIEW alwase render html,when from client side sending request invalid csrftoken:invalid with type:json,
from https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-CSRF_FAILURE_VIEW
def csrf_failure(request, reason=""):
...
# render html page
while request is type:json and response is type:html, i think we should point this scenario to django docs,
example :
def csrf_failure(request, reason=""):
if request.is_ajax():
return HttpResponseForbidden('',
content_type='application/json',
charset="utf-8")
return render(...)
Change History (6)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Every view might have special handling for AJAX requests. Yes,Or like : login_required i know about it, with pass request direct to @login_required def anything(): and request.user.is_authenticate() for AJAX,
but CSRF_FAILURE_VIEW is a custom error handling security, maybe pass AJAX request to send for many action like : def requests(req): and etc
if csrftoken is invalid with this docs user define template for view error of missing csrftoken for AJAX or form request, Understanding is difficult for users beginner how to handle AJAX missing csrftoken!!!!,
I'm not immediately convinced that documenting this possibility each time adds much value again you are right,but I've mentioned above
comment:4 by , 7 years ago
Yes,i know
we have 2 way for get csrftoken value :
1- use variable {{ csrft_token }} on tag script
2- use AJAX docs get csrftoken from cookie,
users added settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()" on settings for your csrftoken missing message(status=403) django,
if is invalid csrftoken he/she will see with current docs render template view, but for normal request,
django need docs a few point to handle AJAX why?
because:
https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L15
CSRF_FAILURE_TEMPLATE is not for example CSRF_FAILURE_AJAX, from fail AJAX always render template,
csrf.py message is security error, maybe person set message for different request exam:(normal request, and AJAX requests),here is normal request csrf_failure , in AJAX request nothing example CSRF_FAILURE_AJAX or point docs for check request.is_ajax()
example :
from django.views.decorators.csrf import csrf_exempt, csrf_protect
@csrf_protect
def my_view(request):
## call ajax request to this with sending invalid csrftoken
@csrf_protect ## checked invalid csrftoken and call settings.CSRF_FAILURE_VIEW render default template django and etc
def protected_path(request):
do_something()
if some_condition():
return protected_path(request)
else:
do_something_else()
settings.py
settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()"
django.views.csrf.csrf_failure() always render html any check AJAX request,
comment:5 by , 7 years ago
I'm trying follow you, but I'm afraid I'm not succeeding because of a language barrier. Do you have a colleague who you could communicate to in your native language who might be able to better communicate in English?
comment:6 by , 7 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
Every view might have special handling for AJAX requests. I'm not immediately convinced that documenting this possibility each time adds much value. For example, why not add a similar note to the error views?