|
|
|
|
|
|
by H_E_Pennypacker
5209 days ago
|
|
|
That bit of CSRF javascript does not "ignore" CSRF checking, and is not unsafe. The only difference is that it sets the CSRF token value as a request header rather than a POST value. The browser still needs to have that CSRF cookie value. Edit: Code backing from middleware/csrf.py: request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
if request_csrf_token == "":
# Fall back to X-CSRFToken, to make things easier for AJAX
request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') |
|
|