[Django] #29858: CSRF +
Django
-----------------------------------------+------------------------
Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
I'm working on a small new application, and using AXIOS to post back to
Django.
Part of this is of course setting the relevant header to include the CSRF
token.
Looking at the docs there appears to be contradicting messages about what
that heading should be.
Initially we get greeted with this:
''For this reason, there is an alternative method: on each
XMLHttpRequest, set a custom **X-CSRFToken**
header to the value of the CSRF token''
Later on though we get this blockquote in the docs:
''**Note**
...
The CSRF header name is **HTTP_X_CSRFTOKEN** by default, but you can
customize it using the CSRF_HEADER_NAME setting.''
From testing, it appears that X-CSRFToken is indeed the correct header to
use, as it's currently functioning, but I'm unsure if this is a bug with
Django, or an error in the docs.
If it's an error in the docs, can someone please point me in the direction
of how to submit a pull request to fix this?
--
Ticket URL: <https://code.djangoproject.com/ticket/29858>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------+--------------------------------------
Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:1>
Django
-------------------------------+--------------------------------------
Type: Uncategorized | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by StewPoll):
* component: Uncategorized => Documentation
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:2>
Django
-------------------------------+--------------------------------------
Type: Uncategorized | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* status: new => closed
* resolution: => invalid
Comment:
The difference is explained on the
[https://docs.djangoproject.com/en/dev/ref/settings/#csrf-header-name
settings reference] page:
As with other HTTP headers in `request.META`, the header name received
from the server is normalized by converting all characters to uppercase,
replacing any hyphens with underscores, and adding an `'HTTP_'` prefix to
the name. For example, if your client sends a `'X-XSRF-TOKEN'` header, the
setting should be `'HTTP_X_XSRF_TOKEN'`.
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:3>
Django
-------------------------------+--------------------------------------
Reporter: StewPoll | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: invalid
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* type: Uncategorized => Bug
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:4>
Django
Reporter: Stewart Polley | Owner: nobody
Type: Bug | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: invalid
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Stewart Polley):
Thanks for that clarification.
Would you be open to making reference to that in the Documentation for
CSRF tokens in AJAX Calls?
https://docs.djangoproject.com/en/2.1/ref/csrf/#ajax
(Sorry, getting used to this formatting)
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:5>
Django
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Component: Documentation | Version: 2.1
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* status: closed => new
* resolution: invalid =>
* has_patch: 0 => 1
* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted
Comment:
I see your point. The note was moved lower in
ddf169cdaca91e92dd5bfe6796bb6f38369ecb68 which didn't help. Could you
review my [https://github.com/django/django/pull/10529 PR]?
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:6>
Django
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Stewart Polley):
I'll add some comments in the Pull Request
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:7>
Django
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"a29fce89845cc9ca2fa96d8880104726b75dfbd6" a29fce8]:
{{{
#!CommitTicketReference repository=""
revision="a29fce89845cc9ca2fa96d8880104726b75dfbd6"
Fixed #29858 -- Clarified docs regarding CSRF token header name.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:8>
Django
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Type: Cleanup/optimization | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"4acdba42a632ef78959f67f57fab10899fefb8e6" 4acdba4]:
{{{
#!CommitTicketReference repository=""
revision="4acdba42a632ef78959f67f57fab10899fefb8e6"
[2.1.x] Fixed #29858 -- Clarified docs regarding CSRF token header name.
Backport of a29fce89845cc9ca2fa96d8880104726b75dfbd6 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:9>