Edited ref/contrib/csrf.txt changes from [9554]

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9593 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2008-12-08 04:15:19 +00:00
parent 352efd1893
commit e9b90d9899
1 changed files with 18 additions and 10 deletions

View File

@ -35,11 +35,18 @@ Exceptions
.. versionadded:: 1.1 .. versionadded:: 1.1
To manually exclude a view function from being handled by the To manually exclude a view function from being handled by the
CsrfMiddleware, you can use the ``csrf_exempt`` decorator (found in CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
the ``django.contrib.csrf.middleware`` module). the ``django.contrib.csrf.middleware`` module. For example::
AJAX requests sent with "X-Requested-With: XMLHttpRequest" are from django.contrib.csrf.middleware import csrf_exempt
automatically exempt (see below).
def my_view(request):
return HttpResponse('Hello world')
my_view = csrf_exempt(my_view)
You don't have to worry about doing this for most AJAX views. Any request sent
with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the next
section.)
How it works How it works
============ ============
@ -72,12 +79,13 @@ The Content-Type is checked before modifying the response, and only
pages that are served as 'text/html' or 'application/xml+xhtml' pages that are served as 'text/html' or 'application/xml+xhtml'
are modified. are modified.
AJAX requests sent with "X-Requested-With: XMLHttpRequest", as done by The middleware tries to be smart about requests that come in via AJAX. Many
many AJAX toolkits, are detected and automatically excepted from this JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header;
mechanism. This is because in the context of a browser, this header these requests are detected and automatically *not* handled by this middleware.
can only be added by using XMLHttpRequest, and browsers already We can do this safely because, in the context of a browser, the header can only
implement a same-domain policy for XMLHttpRequest. This is not secure be added by using ``XMLHttpRequest``, and browsers already implement a
if you do not trust content within the same domain or sub-domains. same-domain policy for ``XMLHttpRequest``. (Note that this is not secure if you
don't trust content within the same domain or subdomains.)
The above two functions of ``CsrfMiddleware`` are split between two The above two functions of ``CsrfMiddleware`` are split between two
classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware`` classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware``