CSRF middleware conflicts with request.upload_handlers

81 views

Skip to first unread message

Curtis Maloney

unread,

Nov 16, 2015, 12:51:18 AM11/16/15

to django-d...@googlegroups.com

So I recently ran into the csrf/upload_handlers conflict as mentioned in
the not https://docs.djangoproject.com/en/1.8/topics/http/file-uploads/#id1

I'd like to propose an additional option to solve this -- a decorator to
mark a view as "ajax-only" ... so the CSRF middleware will _only_ check
the header for the value, and skip request.POST.

Of course, this sort of change should involve a serious consideration to
the security ramifications of such a change.

So please... weigh in, one and all :)

--
Curtis

Collin Anderson

unread,

Nov 16, 2015, 8:45:27 AM11/16/15

to Django developers (Contributions to Django itself)

Maybe @csrf_check_header_only? I usually put the token in POST for my ajax calls.

Curtis Maloney

unread,

Nov 20, 2015, 1:03:03 AM11/20/15

to Django developers (Contributions to Django itself)

Yeah... good name for it...

https://github.com/django/django/pull/5688

Curtis

Reply all

Reply to author

Forward

0 new messages