passing CSRF credentials as url parameters?

How do you handle csrf credentials sent to django as url parameters?

I ask because that is, evidently, the only way to submit a file upload via a form in an iFrame.

Most online examples show to pass csrf credentials as headers,

xhr.setRequestHeader("X-CSRFToken", csrfToken );

but this is not an option for iFrame transport in ie/opera.

I can use csrf_exempt, but this leaves my site vulnerable.

Answers


You could create some middleware that takes csrf_token from the GET params and places it on the request before CsrfViewMiddleware attempts to validate

class CsrfGetParamMiddleware(object):
    def process_request(self, request):
        request.META['HTTP_X_CSRFTOKEN'] = request.GET.get('csrf_token')
        return None

Place this middleware above the CsrfViewMiddleware

MIDDLEWARE_CLASSES = (
    'CsrfGetParamMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
)

This save you from validating it yourself or subclassing CsrfViewMiddleware


Need Your Help

Unable to read vcards with address

java mobile netbeans io libraries

Please have a look at the following code

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.