Edited ref/contrib/csrf.txt changes from [9554]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9593 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
352efd1893
commit
e9b90d9899
|
@ -35,11 +35,18 @@ Exceptions
|
||||||
.. versionadded:: 1.1
|
.. versionadded:: 1.1
|
||||||
|
|
||||||
To manually exclude a view function from being handled by the
|
To manually exclude a view function from being handled by the
|
||||||
CsrfMiddleware, you can use the ``csrf_exempt`` decorator (found in
|
CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
|
||||||
the ``django.contrib.csrf.middleware`` module).
|
the ``django.contrib.csrf.middleware`` module. For example::
|
||||||
|
|
||||||
AJAX requests sent with "X-Requested-With: XMLHttpRequest" are
|
from django.contrib.csrf.middleware import csrf_exempt
|
||||||
automatically exempt (see below).
|
|
||||||
|
def my_view(request):
|
||||||
|
return HttpResponse('Hello world')
|
||||||
|
my_view = csrf_exempt(my_view)
|
||||||
|
|
||||||
|
You don't have to worry about doing this for most AJAX views. Any request sent
|
||||||
|
with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the next
|
||||||
|
section.)
|
||||||
|
|
||||||
How it works
|
How it works
|
||||||
============
|
============
|
||||||
|
@ -72,12 +79,13 @@ The Content-Type is checked before modifying the response, and only
|
||||||
pages that are served as 'text/html' or 'application/xml+xhtml'
|
pages that are served as 'text/html' or 'application/xml+xhtml'
|
||||||
are modified.
|
are modified.
|
||||||
|
|
||||||
AJAX requests sent with "X-Requested-With: XMLHttpRequest", as done by
|
The middleware tries to be smart about requests that come in via AJAX. Many
|
||||||
many AJAX toolkits, are detected and automatically excepted from this
|
JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header;
|
||||||
mechanism. This is because in the context of a browser, this header
|
these requests are detected and automatically *not* handled by this middleware.
|
||||||
can only be added by using XMLHttpRequest, and browsers already
|
We can do this safely because, in the context of a browser, the header can only
|
||||||
implement a same-domain policy for XMLHttpRequest. This is not secure
|
be added by using ``XMLHttpRequest``, and browsers already implement a
|
||||||
if you do not trust content within the same domain or sub-domains.
|
same-domain policy for ``XMLHttpRequest``. (Note that this is not secure if you
|
||||||
|
don't trust content within the same domain or subdomains.)
|
||||||
|
|
||||||
The above two functions of ``CsrfMiddleware`` are split between two
|
The above two functions of ``CsrfMiddleware`` are split between two
|
||||||
classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware``
|
classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware``
|
||||||
|
|
Loading…
Reference in New Issue