[1.2.X] Fixed #15469 - CSRF token is inserted on GET requests

Thanks to goran for report. Backport of [16191] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16194 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Luke Plant <L.Plant.98@cantab.net> 2011-05-09 21:39:22 +0000
committer: Luke Plant <L.Plant.98@cantab.net> 2011-05-09 21:39:22 +0000
commit: cfc1756ef57b019b772ac60e651a76fe2d41a7e1 (patch)
tree: 649a35e8bb5149b7e1a768828f109c75a355f934
parent: 87fa64ca7c24fe16189fe638805e09a66c52b403 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 7cf527eb3e..7ef1207d65 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -124,7 +124,11 @@ that allow headers to be set on every request. In jQuery, you can use the
                 // or any other URL that isn't scheme relative or absolute i.e relative.
                 !(/^(\/\/|http:|https:).*/.test(url));
         }
-        if (sameOrigin(settings.url)) {
+        function safeMethod(method) {
+            return (method === 'GET' || method === 'HEAD');
+        }
+
+        if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
             xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
         }
     });
author	Luke Plant <L.Plant.98@cantab.net>	2011-05-09 21:39:22 +0000
committer	Luke Plant <L.Plant.98@cantab.net>	2011-05-09 21:39:22 +0000
commit	cfc1756ef57b019b772ac60e651a76fe2d41a7e1 (patch)
tree	649a35e8bb5149b7e1a768828f109c75a355f934
parent	87fa64ca7c24fe16189fe638805e09a66c52b403 (diff)