* "CSRF token incorrect"
* "CSRF token has incorrect length"
I noticed that it would be relatively easy to include in these messages
whether the token was obtained from `POST` data or a custom header, which
would be useful for troubleshooting. The new messages could look e.g.
like--
* "CSRF token (from POST) incorrect"
* "CSRF token (from 'X-CSRFToken' header) has incorrect length"
The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would make
these cases easy to test.
--
Ticket URL: <https://code.djangoproject.com/ticket/32817>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Old description:
> Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
> reject the request with a message like--
>
> * "CSRF token incorrect"
> * "CSRF token has incorrect length"
>
> I noticed that it would be relatively easy to include in these messages
> whether the token was obtained from `POST` data or a custom header, which
> would be useful for troubleshooting. The new messages could look e.g.
> like--
>
> * "CSRF token (from POST) incorrect"
> * "CSRF token (from 'X-CSRFToken' header) has incorrect length"
>
> The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would
> make these cases easy to test.
New description:
Currently, if `CsrfViewMiddleware` encounters a bad CSRF token, it will
reject the request with a message like--
* "CSRF token incorrect"
* "CSRF token has incorrect length"
I noticed that it would be relatively easy to include in these messages
whether the token was obtained from `POST` data or a custom header, which
would be useful for troubleshooting. The messages are specified
[https://github.com/django/django/blob/213850b4b9641bdcb714172999725ec9aa9c9e84/django/middleware/csrf.py#L411-L417
here in the code]. The new messages could look e.g. like--
* "CSRF token (from POST) incorrect"
* "CSRF token (from 'X-CSRFToken' header) has incorrect length"
The changes to `CsrfViewMiddlewareTestMixin` proposed in #32800 would make
these cases easy to test.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:1>
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:2>
* owner: nobody => Chris Jerdonek
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:3>
* has_patch: 0 => 1
Comment:
PR: https://github.com/django/django/pull/14518
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:4>
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:5>
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"999402f1428870cf9f078940880c8646174bb909" 999402f]:
{{{
#!CommitTicketReference repository=""
revision="999402f1428870cf9f078940880c8646174bb909"
Refs #32817 -- Combined the bad-or-missing CSRF token tests.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:6>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"fcb75651f9b8c2f76ec037f1a68a0e5c99263d8c" fcb7565]:
{{{
#!CommitTicketReference repository=""
revision="fcb75651f9b8c2f76ec037f1a68a0e5c99263d8c"
Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token
error messages.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:9>
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"1a284afb07ad8806b29044a8cdd0d0bb20165fa4" 1a284afb]:
{{{
#!CommitTicketReference repository=""
revision="1a284afb07ad8806b29044a8cdd0d0bb20165fa4"
Refs #32817 -- Added tests for bad CSRF token provided via X-CSRFToken or
custom header.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:8>
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"6837bd68a44ee8676a522bfe6121bd3e82cea677" 6837bd68]:
{{{
#!CommitTicketReference repository=""
revision="6837bd68a44ee8676a522bfe6121bd3e82cea677"
Refs #32817 -- Added post_token/meta_token/token_header arguments to
_get_POST_csrf_cookie_request().
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32817#comment:7>