Can I simply disable the CSRF? crazy

[chenge]

I'm new to django. CSRF let me crazy!

thanks!

[Rolando Espinoza La Fuente]

On Tue, Aug 17, 2010 at 8:01 AM, chenge <chen...@gmail.com> wrote:
> I'm new to django. CSRF let me crazy!

Can't use {% csrf_token %} tag inside your <form>'s?

See csrf_exempt decorator:
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions

Regards,

Rolando Espinoza La fuente
www.insophia.com

[Karim Gorjux]

On Tue, Aug 17, 2010 at 23:29, Rolando Espinoza La Fuente
<dar...@gmail.com> wrote:
> See csrf_exempt decorator:
> http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions

I had problems too, but the decorator is a good patch for the moment :-)

Thanks!

--
Karim Gojux
www.karimblog.net

[chenge]

On 8月18日, 上午4时29分, Rolando Espinoza La Fuente <dark...@gmail.com>
wrote:

> On Tue, Aug 17, 2010 at 8:01 AM, chenge <cheng...@gmail.com> wrote:
> > I'm new to django. CSRF let me crazy!
>
> Can't use {% csrf_token %} tag inside your <form>'s?
>
> See csrf_exempt decorator:http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#exceptions
>
> Regards,
>
> Rolando Espinoza La fuentewww.insophia.com

Thanks, I decide try flask first, that seems simple. Maybe I'll try
the exempt.

[puneet loya]

Hi 

I was trying to disable csrf . I am calling post using ajax.

I have used the csrf token placed it below the form.  

In my views file i m using the csrf exempt.

I am still getting the network forbidden error. :(

If you require more information i will share it :) 

[yati sagade]

Remove {% csrf_token %} from the form AND leave the csrf_exempt decorator as it is in the view. Everyone faces challenges while learning a new thing. The key is to face it head on and not to move to somewhere you think there will be no challenges :)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/BQ5RpafQK3EJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
Yati Sagade

Software Engineer at mquotient

Twitter: @yati_itay | Github: yati-sagade

Organizing member of TEDx EasternMetropolitanBypass
http://www.ted.com/tedx/events/4933
https://www.facebook.com/pages/TEDx-EasternMetropolitanBypass/337763226244869

[Phang Mulianto]

hi, better use csrf for your application security.

it is easier to disable it, but security for your app what you will think after it running later.

do it correctly now or later .

Rgds,

Mulianto

[jondykeman]

+1 For doing it right from the beginning. 

I was tempted to disable when trying to deal with AJAX especially early on. Below is some code with jQuery so that you won't need to manually feed the token through your AJAX.

<script type="text/javascript"> 

jQuery(document).ajaxSend(function(event, xhr, settings) {

    function getCookie(name) {

        var cookieValue = null;

        if (document.cookie && document.cookie != '') {

            var cookies = document.cookie.split(';');

            for (var i = 0; i < cookies.length; i++) {

                var cookie = jQuery.trim(cookies[i]);

                // Does this cookie string begin with the name we want?

                if (cookie.substring(0, name.length + 1) == (name + '=')) {

                    cookieValue = decodeURIComponent(cookie.substring(name.length + 1));

                    break;

                }

            }

        }

        return cookieValue;

    }

    function sameOrigin(url) {

        // url could be relative or scheme relative or absolute

        var host = document.location.host; // host + port

        var protocol = document.location.protocol;

        var sr_origin = '//' + host;

        var origin = protocol + sr_origin;

        // Allow absolute or scheme relative URLs to same origin

        return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||

            (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||

            // or any other URL that isn't scheme relative or absolute i.e relative.

            !(/^(\/\/|http:|https:).*/.test(url));

    }

    function safeMethod(method) {

        return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));

    }

    if (!safeMethod(settings.type) && sameOrigin(settings.url)) {

        xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

    }

});

</script>

[puneet loya]

Thank you all for your suggestions :) :)

On Mon, Sep 24, 2012 at 7:56 PM, Nicolas Patry <patry....@gmail.com> wrote:

If you are access to the form (meaning you are in the dom), and if you don't mind using jQuery, there is the even simpler:

<script type="text/javascript">
$.post("/some/url", $("#someform").serialize(), function(data){
  // Do whatever with data
})

$("#someform").serialize() automatically adds the crsf_token which should be contained in your form. This makes a lot easier to validate your form via AJAX.

Cheers,

Nicolas Patry

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/zaZHJCPKDuAJ.