[Django] #29858: CSRF +

9 views
Skip to first unread message

Django

unread,
Oct 17, 2018, 7:43:01 AM10/17/18
to django-...@googlegroups.com
#29858: CSRF +
-----------------------------------------+------------------------
Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
I'm working on a small new application, and using AXIOS to post back to
Django.

Part of this is of course setting the relevant header to include the CSRF
token.
Looking at the docs there appears to be contradicting messages about what
that heading should be.
Initially we get greeted with this:
''For this reason, there is an alternative method: on each
XMLHttpRequest, set a custom **X-CSRFToken**
header to the value of the CSRF token''

Later on though we get this blockquote in the docs:
''**Note**
...
The CSRF header name is **HTTP_X_CSRFTOKEN** by default, but you can
customize it using the CSRF_HEADER_NAME setting.''

From testing, it appears that X-CSRFToken is indeed the correct header to
use, as it's currently functioning, but I'm unsure if this is a bug with
Django, or an error in the docs.

If it's an error in the docs, can someone please point me in the direction
of how to submit a pull request to fix this?

--
Ticket URL: <https://code.djangoproject.com/ticket/29858>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Oct 17, 2018, 7:43:27 AM10/17/18
to django-...@googlegroups.com
#29858: CSRF Token headers and documentation
-------------------------------+--------------------------------------

Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:1>

Django

unread,
Oct 17, 2018, 7:43:44 AM10/17/18
to django-...@googlegroups.com
#29858: CSRF Token headers and documentation
-------------------------------+--------------------------------------
Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version: 2.1
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by StewPoll):

* component: Uncategorized => Documentation


--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:2>

Django

unread,
Oct 17, 2018, 8:56:18 AM10/17/18
to django-...@googlegroups.com
#29858: CSRF Token headers and documentation
-------------------------------+--------------------------------------
Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => invalid


Comment:

The difference is explained on the
[https://docs.djangoproject.com/en/dev/ref/settings/#csrf-header-name
settings reference] page:

As with other HTTP headers in `request.META`, the header name received
from the server is normalized by converting all characters to uppercase,
replacing any hyphens with underscores, and adding an `'HTTP_'` prefix to
the name. For example, if your client sends a `'X-XSRF-TOKEN'` header, the
setting should be `'HTTP_X_XSRF_TOKEN'`.

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:3>

Django

unread,
Oct 17, 2018, 8:59:54 AM10/17/18
to django-...@googlegroups.com
#29858: Inconsistency in documentation for CSRF token header names
-------------------------------+--------------------------------------
Reporter: StewPoll | Owner: nobody
Type: Bug | Status: closed

Component: Documentation | Version: 2.1
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Tim Graham):

* type: Uncategorized => Bug


--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:4>

Django

unread,
Oct 17, 2018, 6:32:01 PM10/17/18
to django-...@googlegroups.com
#29858: Inconsistency in documentation for CSRF token header names
--------------------------------+--------------------------------------
Reporter: Stewart Polley | Owner: nobody

Type: Bug | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------

Comment (by Stewart Polley):

Thanks for that clarification.

Would you be open to making reference to that in the Documentation for
CSRF tokens in AJAX Calls?
https://docs.djangoproject.com/en/2.1/ref/csrf/#ajax

(Sorry, getting used to this formatting)

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:5>

Django

unread,
Oct 18, 2018, 7:47:20 PM10/18/18
to django-...@googlegroups.com
#29858: Clarify docs regarding CSRF token header name
--------------------------------------+------------------------------------

Reporter: Stewart Polley | Owner: nobody
Type: Cleanup/optimization | Status: new

Component: Documentation | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Tim Graham):

* status: closed => new
* resolution: invalid =>
* has_patch: 0 => 1
* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted


Comment:

I see your point. The note was moved lower in
ddf169cdaca91e92dd5bfe6796bb6f38369ecb68 which didn't help. Could you
review my [https://github.com/django/django/pull/10529 PR]?

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:6>

Django

unread,
Oct 18, 2018, 8:59:49 PM10/18/18
to django-...@googlegroups.com
#29858: Clarify docs regarding CSRF token header name
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Comment (by Stewart Polley):

I'll add some comments in the Pull Request

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:7>

Django

unread,
Oct 19, 2018, 7:35:52 PM10/19/18
to django-...@googlegroups.com
#29858: Clarify docs regarding CSRF token header name
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Type: Cleanup/optimization | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: new => closed

* resolution: => fixed


Comment:

In [changeset:"a29fce89845cc9ca2fa96d8880104726b75dfbd6" a29fce8]:
{{{
#!CommitTicketReference repository=""
revision="a29fce89845cc9ca2fa96d8880104726b75dfbd6"
Fixed #29858 -- Clarified docs regarding CSRF token header name.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:8>

Django

unread,
Oct 19, 2018, 7:35:54 PM10/19/18
to django-...@googlegroups.com
#29858: Clarify docs regarding CSRF token header name
--------------------------------------+------------------------------------
Reporter: Stewart Polley | Owner: nobody
Type: Cleanup/optimization | Status: closed
Component: Documentation | Version: 2.1
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"4acdba42a632ef78959f67f57fab10899fefb8e6" 4acdba4]:
{{{
#!CommitTicketReference repository=""
revision="4acdba42a632ef78959f67f57fab10899fefb8e6"
[2.1.x] Fixed #29858 -- Clarified docs regarding CSRF token header name.

Backport of a29fce89845cc9ca2fa96d8880104726b75dfbd6 from master.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/29858#comment:9>

Reply all
Reply to author
Forward
0 new messages