#27396 closed Cleanup/optimization (worksforme)
Docs: send POST request on base.html does not mention {{ csrf_token }}
| Reported by: | Ramin Farajpour Cami | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 1.10 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi,
Have a look at the section "AJAX " in this documentation page:
https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax
It does not mention the highly relevantcsrf_toeken on meta tag on base.html I think it should.
<meta content="{{ csrf_token }}" name='csrfmiddlewaretoken' />
many case there is use AJAX on root path http://127.0.0.1 this action
urls.py:
url(r'^$', Index , name='Index'),
base.html
<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="style.css" />
<title>{% block title %}My amazing site{% endblock %}</title>
</head>
<body>
<div id="sidebar">
{% block sidebar %}
<ul>
<li><a href="/">Home</a></li>
<li><a href="/blog/">Blog</a></li>
</ul>
{% endblock %}
</div>
<div id="content">
{% block content %}{% endblock %}
</div>
</body>
</html>
index.html
{% extends "base.html" %}
{% block title %}{{ section.title }}{% endblock %}
{% block content %}
<h1>{{ section.title }}</h1>
{% endblock %}
now when action index return render , now if users use AJAX on base.html (for example : check session permission on use javascript on page base.html ) howevery this page nothing cookie set csrf_token for send to server side ,
there is 2 way :
1 - use {% csrf_token %} , this create input tag on base.html (this is not good )
2 - use meta tag (<meta content="{{ csrf_token }}" name='csrfmiddlewaretoken' />)
i use 2 , and work it great ,
Change History (8)
follow-up: 2 comment:1 by , 8 years ago
follow-up: 3 comment:2 by , 8 years ago
Replying to Aymeric Augustin:
It's unclear to me how declaring this
<meta>tag causes the CSRF token to be added to AJAX requests.
Are you using JavaScript code to extract it from there and add it to AJAX requests?
Or is this a behavior of
<meta>tags that I'm not familiar with?
If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?
Hi ,
please look this ,
http://api.rubyonrails.org/classes/ActionView/Helpers/CsrfHelper.html
1 - go to http://www.bugjoo.ir/ first if you use chrome plz press (ctrl+F5)
2- you see render error
3- please sniff request AJAX (session/current)
you see like this,
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache Connection:keep-alive Cookie:__cfduid=d1b7d99024046b0a11e455b195c55783e1477636721 Host:www.bugjoo.ir Pragma:no-cache Upgrade-Insecure-Requests:1 User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
there isn't csrf_token on cookie,
comment:3 by , 8 years ago
Replying to Ramin Farajpour Cami:
Replying to Aymeric Augustin:
It's unclear to me how declaring this
<meta>tag causes the CSRF token to be added to AJAX requests.
Are you using JavaScript code to extract it from there and add it to AJAX requests?
Or is this a behavior of
<meta>tags that I'm not familiar with?
If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?
Hi ,
please look this ,
http://api.rubyonrails.org/classes/ActionView/Helpers/CsrfHelper.html
1 - go to http://www.bugjoo.ir/ first if you use chrome plz press (ctrl+shift+n)
2- you see render error
3- please sniff request AJAX (session/current)
you see like this,
Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:0 Cookie:__cfduid=d1b7d99024046b0a11e455b195c55783e1477636721 Host:www.bugjoo.ir Origin:http://www.bugjoo.ir Referer:http://www.bugjoo.ir/ User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36 X-CSRFToken:null X-Requested-With:XMLHttpRequest
there isn't
csrf_tokenon X-CSRFToken,
comment:4 by , 8 years ago
| Summary: | Docs: send POST request on base.html does not mention {{ csrf_toeken }} → Docs: send POST request on base.html does not mention {{ csrf_token }} |
|---|
Similar to Aymeric, I'm not sure what behavior you're describing or what documentation should be added. Could you offer a patch to explain it?
comment:5 by , 8 years ago
Hi Tim,
i going to more info for you first time you should sure Afterwards patch,
my means of this ticket ,
def index(req): return render(req,'index.html')
and index.html extend with base.html , when render index.html both index.html and base.html handel on browser, now if users use AJAX on base.html in i see on django csrf_token can not handel on base.html , do you think i am mistake please clarification to me,because i see behavior of django ,
rails create meta csrf for layout.html (in django : base.html),
comment:6 by , 8 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Your use case is documented here: https://docs.djangoproject.com/en/1.10/ref/csrf/#unprotected-view-needs-the-csrf-token
Django doesn't ship JavaScript code that would take advantage the <meta> tag you're describing so there's no use describing that (except if it's a built-in behavior in browsers, which is why I asked for evidence of that behavior, because I'd be surprised if it existed).
comment:7 by , 8 years ago
Hi Aymeric,
but this is not good, Unprotected csrf token, i test now work it, but if csrf token is important for users on base.html for one request of AJAX do you have solution?
Thanks,
Ramin
comment:8 by , 8 years ago
You need two things:
- Create a CSRF token by accessing it. (That will cause the token to be automatically sent in a cookie.)
- Get this token from JavaScript. (The most reliable is to look it up from the cookie rather than the DOM.)
I usually solve 1. with a trivial middleware:
class SendCsrfCookie:
"""
Send a CSRF cookie with every request.
Any page could trigger an AJAX POST request.
"""
def process_request(self, request):
csrf.get_token(request)
and 2. with the method described in the documentation.
I'm having a hard time following your comments. As far as I can tell, you're proposing something for 2. which doesn't work at all but accidentally triggers 1. Then something else makes 2. work in your project. I don't think that makes sense and that's why I'm rejecting the proposal.
We might want to document the middleware technique.
It's unclear to me how declaring this
<meta>tag causes the CSRF token to be added to AJAX requests.Are you using JavaScript code to extract it from there and add it to AJAX requests?
Or is this a behavior of
<meta>tags that I'm not familiar with?If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?