CSRFMiddleware should strip POST dat instead of showing the user an error message if a forgery is detected
|Reported by:||zain||Owned by:||nobody|
|Cc:||glennfmaynard@…||Triage Stage:||Design decision needed|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||yes|
If a page receives a POST that doesn't contain the 'csrfmiddlwaretoken' variable, it shows the following message: "Cross Site Request Forgery detected. Request aborted."
Instead of showing the user this message, I propose just stripping out the POST data. That could help improve user experience in the case of when a site outside your control is redirecting to you.
For example; if a user is paying you via Paypal web payments, they get redirected back to your website at the end. During this step, Paypal POSTs some (non-critical) information. At this point, the CSRF middleware shows the user an error. As a result, it is impossible to use the CSRF Middleware on a website that accepts paypal web payments.
The patch I have attached merely sets request.POST =  instead of giving the user an HttpResponseForbidden message.
Change History (5)
Changed 6 years ago by zain
comment:1 Changed 6 years ago by Daniel Pope <dan@…>
- Needs documentation unset
- Needs tests unset
- Patch needs improvement set
- Triage Stage changed from Unreviewed to Design decision needed