Update csrf.py to check request.POST if request.method is not GET

[Peter Jones]

When trying to determine request_csrf_token within csrf.py, request.method == "POST" fails (CSRF token missing) if you use custom middle ware that handles a form field _method to convert request.method to PUT/DELETE... etc. I use this middle ware since HTML forms can only use GET and POST, and I want my page to work even when JavaScript is disabled.

Change django/middleware/csrf.py (line 365)

if request.method == "POST":

To

if request.method != "GET":

[Mariusz Felisiak]

Thanks for this report, however if you're using a custom middleware to convert POST to PUT/PATCH/DELETE then you can also use your own CsrfViewMiddleware subclass to handle them. It doesn't need to be handle by Django itself. We don't usually include workarounds for niche edge cases.

[Mirza Baig]

Has it been solved?

[Peter Jones]

I've enhanced my middleware to address both the Request method limitation and the CSRF header issue for HTML forms. Despite these improvements, I believe Django, as 'the web framework for perfectionists,' should inherently offer better support for scenarios where JavaScript is disabled in the browser. Prioritizing accessibility and functionality in a no-JavaScript environment aligns with the high standards Django sets for web development.

​https://www.reddit.com/r/webdev/comments/mfnxnj/why_your_website_should_work_without_javascript/

[Natalia Bidart]

Hello Peter!

One one hand, if you disagree with the resolution, you can alternatively propose and discuss the idea/request with the community and gain consensus. To do that, you could start a new conversation on the ​Django Forum, where you'll reach a wider audience and potentially get extra feedback.

On the other hand, it would be important to explain in detail how the change you suggest affects working with/without Javascript enabled. I have multiple sites where javascript is not required at all and they do not need this change.