Opened 8 years ago

Closed 7 years ago

#6709 closed (wontfix)

csrf for javascript or ajax based forms

Reported by: hasen <hasan.aljudy@…> Owned by: nobody
Component: Contrib apps Version: master
Severity: Keywords: csrf
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


The CSRF middleware doesn't insert anything if it doesn't see a <form> tag with method="post",
This is very limiting,
I for example, in some of my ajax-based pages, don't use a form tag at all, I just put the <input> fields, give them ids, and collect the data programatically (using the input elements' id) and also send the form using the post method programatically (through an XmlHttpRequest object).

It would be nice if the CSRF framework still adds the hidden csrf token to the page even if it finds no form with a post method, by just inserting the token somewhere reasonble within the body of the page so that it's accessible for any piece of JS code. (i.e. such that it has an id)

Change History (2)

comment:1 Changed 7 years ago by programmerq

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 7 years ago by jacob

  • Resolution set to wontfix
  • Status changed from new to closed

This seems overly complex. I'd rather see some sort of template tag help to insert a CSRF token (and, by a similar extent, a form base class to use with CSRF'd forms). See #7167 for some thoughts about this idea.

Note: See TracTickets for help on using tickets.
Back to Top