diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 21:37:52 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 21:37:52 +0000 |
| commit | fb052a15edbaf81a60c1d64b6088f2d4bdeec926 (patch) | |
| tree | 027a2e78399cfc51394320df03582e1f4f62aeeb /docs/ref | |
| parent | b3a46135955d0f1d3e3d39185ef977996c8cce9a (diff) | |
[1.3.X] Fixed #15469 - CSRF token is inserted on GET requests
Thanks to goran for report.
Backport of [16191] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/contrib/csrf.txt | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 31f377312d..7e9700dc3f 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -124,7 +124,11 @@ that allow headers to be set on every request. In jQuery, you can use the // or any other URL that isn't scheme relative or absolute i.e relative. !(/^(\/\/|http:|https:).*/.test(url)); } - if (sameOrigin(settings.url)) { + function safeMethod(method) { + return (method === 'GET' || method === 'HEAD'); + } + + if (!safeMethod(settings.type) && sameOrigin(settings.url)) { xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); } }); |
