diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 19:06:57 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 19:06:57 +0000 |
| commit | e9342e9b3200bb55d92e67a3b9be7392a3e54b56 (patch) | |
| tree | ebf748e76f8e3c467b40171e31d792af877056b4 /docs/ref | |
| parent | 7c648ea4aa2339cf0492d8c8da031dccce5458b1 (diff) | |
Fixed #15469 - CSRF token is inserted on GET requests
Thanks to goran for report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16191 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/contrib/csrf.txt | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 6d9a33db22..8acab718d3 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -114,7 +114,11 @@ that allow headers to be set on every request. In jQuery, you can use the // or any other URL that isn't scheme relative or absolute i.e relative. !(/^(\/\/|http:|https:).*/.test(url)); } - if (sameOrigin(settings.url)) { + function safeMethod(method) { + return (method === 'GET' || method === 'HEAD'); + } + + if (!safeMethod(settings.type) && sameOrigin(settings.url)) { xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); } }); |
