#35062 closed Bug (invalid)
Update csrf.py to check request.POST if request.method is not GET
Reported by: | Peter Jones | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 4.2 |
Severity: | Normal | Keywords: | |
Cc: | Mirza Baig | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
When trying to determine request_csrf_token within csrf.py, request.method == "POST" fails (CSRF token missing) if you use custom middle ware that handles a form field _method to convert request.method to PUT/DELETE... etc. I use this middle ware since HTML forms can only use GET and POST, and I want my page to work even when JavaScript is disabled.
Change django/middleware/csrf.py (line 365)
if request.method == "POST":
To
if request.method != "GET":
Change History (4)
comment:1 by , 11 months ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:3 by , 11 months ago
I've enhanced my middleware to address both the Request method limitation and the CSRF header issue for HTML forms. Despite these improvements, I believe Django, as 'the web framework for perfectionists,' should inherently offer better support for scenarios where JavaScript is disabled in the browser. Prioritizing accessibility and functionality in a no-JavaScript environment aligns with the high standards Django sets for web development.
https://www.reddit.com/r/webdev/comments/mfnxnj/why_your_website_should_work_without_javascript/
comment:4 by , 10 months ago
Hello Peter!
One one hand, if you disagree with the resolution, you can alternatively propose and discuss the idea/request with the community and gain consensus. To do that, you could start a new conversation on the Django Forum, where you'll reach a wider audience and potentially get extra feedback.
On the other hand, it would be important to explain in detail how the change you suggest affects working with/without Javascript enabled. I have multiple sites where javascript is not required at all and they do not need this change.
Thanks for this report, however if you're using a custom middleware to convert POST to PUT/PATCH/DELETE then you can also use your own
CsrfViewMiddleware
subclass to handle them. It doesn't need to be handle by Django itself. We don't usually include workarounds for niche edge cases.