diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py index 0d0a8eca9e..40cbcf502b 100644 --- a/django/contrib/csrf/middleware.py +++ b/django/contrib/csrf/middleware.py @@ -101,7 +101,13 @@ class CsrfResponseMiddleware(object): "' />") # Modify any POST forms - response.content = _POST_FORM_RE.sub(add_csrf_field, response.content) + response.content, n = _POST_FORM_RE.subn(add_csrf_field, response.content) + if n > 0: + # Since the content has been modified, any Etag will now be + # incorrect. We could recalculate, but only is we assume that + # the Etag was set by CommonMiddleware. The safest thing is just + # to delete. See bug #9163 + del response['ETag'] return response class CsrfMiddleware(CsrfViewMiddleware, CsrfResponseMiddleware): diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 1b6b6102de..cbe55dc38a 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -22,12 +22,12 @@ middleware into your list of installed middleware. How to use it ============= -Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to -your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process -the response after the SessionMiddleware, so must come before it in the -list. It also must process the response before things like compression -happen to the response, so it must come after GZipMiddleware in the -list. +Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to your +list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process +the response after the SessionMiddleware, so must come before it in the list. It +also must process the response before things like compression or setting of +ETags happen to the response, so it must come after GZipMiddleware, +CommonMiddleware and ConditionalGetMiddleware in the list. The ``CsrfMiddleware`` class is actually composed of two middleware: ``CsrfViewMiddleware`` which performs the checks on incoming requests,