Opened 91 minutes ago
#37032 new Uncategorized
Documentation for django.template.context_processors.csrf is incorrect or inaccurate
| Reported by: | Christian Finnberg | Owned by: | |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | csrf, context processor |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Documentation for django.template.context_processors.csrf in https://docs.djangoproject.com/en/dev/ref/templates/api/#django-template-context-processors-csrf is not accurate. It says:
This processor adds a token that is needed by the csrf_token template tag for protection against Cross Site Request Forgeries.
But the csrf_token template tag is independent of this context processor. This content processor adds a csrf_token variable that can be used for protection against CSRF, but it seems that this is like a "legacy" method. The recommended way or at least the way Django is configured by default, is to enable the django.middleware.csrf.CsrfViewMiddleware middleware, that adds the crsf_token template tag and works independently of this context processor.
So a different definition may be better. Something like:
If this processor is enabled, every RequestContext will contain a variable csrf_token with a CSRF token, or the string 'NOTPROVIDED' if it has not been provided by either a view decorator or the middleware. Notice that the
csrf_tokentemplate tag (not this context processor) is the preferred way to add the CSRF token to the forms.
In any case I think this component's text must be corrected somehow.