summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2011-05-09 21:37:52 +0000
committerLuke Plant <L.Plant.98@cantab.net>2011-05-09 21:37:52 +0000
commitfb052a15edbaf81a60c1d64b6088f2d4bdeec926 (patch)
tree027a2e78399cfc51394320df03582e1f4f62aeeb
parentb3a46135955d0f1d3e3d39185ef977996c8cce9a (diff)
[1.3.X] Fixed #15469 - CSRF token is inserted on GET requests
Thanks to goran for report. Backport of [16191] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--docs/ref/contrib/csrf.txt6
1 files changed, 5 insertions, 1 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 31f377312d..7e9700dc3f 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -124,7 +124,11 @@ that allow headers to be set on every request. In jQuery, you can use the
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
- if (sameOrigin(settings.url)) {
+ function safeMethod(method) {
+ return (method === 'GET' || method === 'HEAD');
+ }
+
+ if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});