@@ -81,6 +81,47 @@ The utility script ``extras/csrf_migration_helper.py`` can help to automate the
8181finding of code and templates that may need to be upgraded. It contains full
8282help on how to use it.
8383
84+ AJAX
85+ ----
86+
87+ While the above method can be used for AJAX POST requests, it has some
88+ inconveniences: you have to remember to pass the CSRF token in as POST data with
89+ every POST request. For this reason, there is an alternative method: on each
90+ XMLHttpRequest, set a custom `X-CSRFToken` header to the value of the CSRF
91+ token. This is often easier, because many javascript frameworks provide hooks
92+ that allow headers to be set on every request. In jQuery, you can use the
93+ ``beforeSend`` hook as follows:
94+
95+ .. code-block:: javascript
96+
97+ $.ajaxSetup({
98+ beforeSend: function(xhr, settings) {
99+ function getCookie(name) {
100+ var cookieValue = null;
101+ if (document.cookie && document.cookie != '') {
102+ var cookies = document.cookie.split(';');
103+ for (var i = 0; i < cookies.length; i++) {
104+ var cookie = jQuery.trim(cookies[i]);
105+ // Does this cookie string begin with the name we want?
106+ if (cookie.substring(0, name.length + 1) == (name + '=')) {
107+ cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
108+ break;
109+ }
110+ }
111+ }
112+ return cookieValue;
113+ }
114+ if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
115+ // Only send the token to relative URLs i.e. locally.
116+ xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
117+ }
118+ }
119+ });
120+
121+ Adding this to a javascript file that is included on your site will ensure that
122+ AJAX POST requests that are made via jQuery will not be caught by the CSRF
123+ protection.
124+
84125The decorator method
85126--------------------
86127
@@ -262,10 +303,6 @@ in the same module. These disable the view protection mechanism
262303(``CsrfResponseMiddleware``) respectively. They can be used individually if
263304required.
264305
265- You don't have to worry about doing this for most AJAX views. Any request sent
266- with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the `How
267- it works`_ section.)
268-
269306Subdomains
270307----------
271308
@@ -343,24 +380,6 @@ request ought to be harmless.
343380response, and only pages that are served as 'text/html' or
344381'application/xml+xhtml' are modified.
345382
346- AJAX
347- ----
348-
349- The middleware tries to be smart about requests that come in via AJAX. Most
350- modern JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP
351- header; these requests are detected and automatically *not* handled by this
352- middleware. We can do this safely because, in the context of a browser, the
353- header can only be added by using ``XMLHttpRequest``, and browsers already
354- implement a same-domain policy for ``XMLHttpRequest``.
355-
356- For the more recent browsers that relax this same-domain policy, custom headers
357- like "X-Requested-With" are only allowed after the browser has done a
358- 'preflight' check to the server to see if the cross-domain request is allowed,
359- using a strictly 'opt in' mechanism, so the exception for AJAX is still safe—if
360- the developer has specifically opted in to allowing cross-site AJAX POST
361- requests on a specific URL, they obviously don't want the middleware to disallow
362- exactly that.
363-
364383.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
365384
366385Caching
0 commit comments