django-intercoolerjs
django-intercoolerjs copied to clipboard
brejoc
CSRF token
Django is expecting a CSRF token with POST requests to prevent Cross Site Request Forgeries. This also includes AJAX POST requests.
With a normal form this looks like this:
<form action="" method="post">{% csrf_token %}
Looks like there are two ways to implement this.
There's a third way, I believe:
ic-on-beforeSend="xhr.setRequestHeader('X-CSRFToken', '{{ csrf_token }}');"
You are right @kezabelle. Thanks a lot! I'm thinking about introducing a template tag to make it more convenient.
I wonder if intercooler should support the rails-style CSRF meta tags out of the box.
Does django have something similar?
Cheers, Carson
On March 22, 2017 at 2:07:41 AM, Jochen Breuer ([email protected]) wrote:
You are right @kezabelle https://github.com/kezabelle. Thanks a lot! I'm thinking about introducing a template tag to make it more convenient.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/brejoc/django-intercoolerjs/issues/5#issuecomment-288338409, or mute the thread https://github.com/notifications/unsubscribe-auth/AAcov2Yx1NvixG5LCeJ72gSlbdgGHhi8ks5roOTdgaJpZM4MDBLE .
@carsongross That would be awesome. Django is very frontend agnostic, so this is our job. I see no reason not to introduce a CSRF meta tag. I would indeed prefer this over anything else. It is easy to implement and solves the problem.
Now we only have to convince all the frameworks to use the same header field name. Django uses X-CSRFToken and Rails X-CSRF-Token. You can change that in the Django settings. But I've not tried that yet.
@chg20 Any news on this? I'm just asking, because I was not following the latest changes and would like to catch up. Thanks!
@chg20 Seems like the best way to get it is from the cookies. Hm… maybe intercooler could have a hook that gets called when implemented and then each framework would be able to ship a tiny snippet that would set the csrf tokens or not?