Opened 14 years ago

Closed 14 years ago

#15501 closed (wontfix)

CSRF middleware does not handle REST api application correctly

Reported by: Kristoffer Snabb Owned by: nobody
Component: HTTP handling Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The CSRF middleware does not work if the application is a strict RESTful api that returns JSON with GET requests and adds information with POST requests. This problem came with the upgrade to Django version 1.2.5

A solution would be to add 'application/json' and 'application/javascript' to the types that should return a response with a csrtoken cookie.


This is in the current csrf middleware:

_HTML_TYPES = ('text/html', 'application/xhtml+xml')

http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py?rev=15623

I did not find any good workarounds or other documentation about this so I report it here.

Change History (1)

comment:1 by Łukasz Rekucki, 14 years ago

Resolution: wontfix
Status: newclosed

CsrfResponseMiddleware is deprecated. The correct way to handle this, is using CsrfViewMiddleware and adding the token as a cookie . See the blog post about 1.2.5 security release and it's errata

Note: See TracTickets for help on using tickets.
Back to Top