Part of this is of course setting the relevant header to include the CSRF
token.
Looking at the docs there appears to be contradicting messages about what
that heading should be.
Initially we get greeted with this:
''For this reason, there is an alternative method: on each
XMLHttpRequest, set a custom **X-CSRFToken**
header to the value of the CSRF token''
Later on though we get this blockquote in the docs:
''**Note**
...
The CSRF header name is **HTTP_X_CSRFTOKEN** by default, but you can
customize it using the CSRF_HEADER_NAME setting.''
From testing, it appears that X-CSRFToken is indeed the correct header to
use, as it's currently functioning, but I'm unsure if this is a bug with
Django, or an error in the docs.
If it's an error in the docs, can someone please point me in the direction
of how to submit a pull request to fix this?
--
Ticket URL: <https://code.djangoproject.com/ticket/29858>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:1>
* component: Uncategorized => Documentation
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:2>
* status: new => closed
* resolution: => invalid
Comment:
The difference is explained on the
[https://docs.djangoproject.com/en/dev/ref/settings/#csrf-header-name
settings reference] page:
As with other HTTP headers in `request.META`, the header name received
from the server is normalized by converting all characters to uppercase,
replacing any hyphens with underscores, and adding an `'HTTP_'` prefix to
the name. For example, if your client sends a `'X-XSRF-TOKEN'` header, the
setting should be `'HTTP_X_XSRF_TOKEN'`.
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:3>
* type: Uncategorized => Bug
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:4>
Comment (by Stewart Polley):
Thanks for that clarification.
Would you be open to making reference to that in the Documentation for
CSRF tokens in AJAX Calls?
https://docs.djangoproject.com/en/2.1/ref/csrf/#ajax
(Sorry, getting used to this formatting)
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:5>
* status: closed => new
* resolution: invalid =>
* has_patch: 0 => 1
* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted
Comment:
I see your point. The note was moved lower in
ddf169cdaca91e92dd5bfe6796bb6f38369ecb68 which didn't help. Could you
review my [https://github.com/django/django/pull/10529 PR]?
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:6>
Comment (by Stewart Polley):
I'll add some comments in the Pull Request
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:7>
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"a29fce89845cc9ca2fa96d8880104726b75dfbd6" a29fce8]:
{{{
#!CommitTicketReference repository=""
revision="a29fce89845cc9ca2fa96d8880104726b75dfbd6"
Fixed #29858 -- Clarified docs regarding CSRF token header name.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:8>
Comment (by Tim Graham <timograham@…>):
In [changeset:"4acdba42a632ef78959f67f57fab10899fefb8e6" 4acdba4]:
{{{
#!CommitTicketReference repository=""
revision="4acdba42a632ef78959f67f57fab10899fefb8e6"
[2.1.x] Fixed #29858 -- Clarified docs regarding CSRF token header name.
Backport of a29fce89845cc9ca2fa96d8880104726b75dfbd6 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:9>