[Django] #22859: set crossDomain = false in ajaxSetup is bad
Django
-------------------------------+--------------------
Reporter: flisky | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
The docs suggest this -
{{{
$.ajaxSetup({
crossDomain: false, // obviates need for sameOrigin test
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type)) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
}}}
However, people need to set corssDomain = true if there is a crossDomain
request under some circumstances.
(In my case, I use CORS with server responsed with 'Access-Control-Allow-
Origin' and no 'Access-Control-Request-Headers')
Actually, jQuery does this more intelligently:
{{{ default: false for same-domain requests, true for cross-domain
requests }}}
And jQuery set the crossDomain value **before** calling {{{beforeSend}}},
so I propose this:
{{{
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22859>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: flisky | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* needs_better_patch: => 0
* stage: Unreviewed => Accepted
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/22859#comment:1>
Django
Reporter: flisky | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"0be4d64487537fe5fe220cfb8896c4da08bb22a8"]:
{{{
#!CommitTicketReference repository=""
revision="0be4d64487537fe5fe220cfb8896c4da08bb22a8"
Fixed #22859 -- Improved crossDomain technique in CSRF example.
Thanks flisky for the report.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22859#comment:2>
Django
Reporter: flisky | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"d29f3b9e878c10417d66e1542ac52fe2ca242cf8"]:
{{{
#!CommitTicketReference repository=""
revision="d29f3b9e878c10417d66e1542ac52fe2ca242cf8"
[1.4.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.
Thanks flisky for the report.
Backport of 0be4d64487 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22859#comment:3>
Django
Reporter: flisky | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"d4a3fd44f04fd06252ccfdd001772daa35c510d1"]:
{{{
#!CommitTicketReference repository=""
revision="d4a3fd44f04fd06252ccfdd001772daa35c510d1"
[1.6.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.
Thanks flisky for the report.
Backport of 0be4d64487 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22859#comment:4>
Django
Reporter: flisky | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"ce06ef5569705ab4a7c0a495deb7fe5efb63c153"]:
{{{
#!CommitTicketReference repository=""
revision="ce06ef5569705ab4a7c0a495deb7fe5efb63c153"
[1.5.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.
Thanks flisky for the report.
Backport of 0be4d64487 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22859#comment:6>
Django
Reporter: flisky | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"427f218a5ecec315a18583c1013e315d9102d6d3"]:
{{{
#!CommitTicketReference repository=""
revision="427f218a5ecec315a18583c1013e315d9102d6d3"
[1.7.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.
Thanks flisky for the report.
Backport of 0be4d64487 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22859#comment:5>