From e9b90d98998da48d4ac18aabe135fa4200547be5 Mon Sep 17 00:00:00 2001 From: Adrian Holovaty Date: Mon, 8 Dec 2008 04:15:19 +0000 Subject: [PATCH] Edited ref/contrib/csrf.txt changes from [9554] git-svn-id: http://code.djangoproject.com/svn/django/trunk@9593 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/ref/contrib/csrf.txt | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index f83fc6e438..f89cb1503e 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -35,11 +35,18 @@ Exceptions .. versionadded:: 1.1 To manually exclude a view function from being handled by the -CsrfMiddleware, you can use the ``csrf_exempt`` decorator (found in -the ``django.contrib.csrf.middleware`` module). +CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in +the ``django.contrib.csrf.middleware`` module. For example:: -AJAX requests sent with "X-Requested-With: XMLHttpRequest" are -automatically exempt (see below). + from django.contrib.csrf.middleware import csrf_exempt + + def my_view(request): + return HttpResponse('Hello world') + my_view = csrf_exempt(my_view) + +You don't have to worry about doing this for most AJAX views. Any request sent +with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the next +section.) How it works ============ @@ -72,12 +79,13 @@ The Content-Type is checked before modifying the response, and only pages that are served as 'text/html' or 'application/xml+xhtml' are modified. -AJAX requests sent with "X-Requested-With: XMLHttpRequest", as done by -many AJAX toolkits, are detected and automatically excepted from this -mechanism. This is because in the context of a browser, this header -can only be added by using XMLHttpRequest, and browsers already -implement a same-domain policy for XMLHttpRequest. This is not secure -if you do not trust content within the same domain or sub-domains. +The middleware tries to be smart about requests that come in via AJAX. Many +JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header; +these requests are detected and automatically *not* handled by this middleware. +We can do this safely because, in the context of a browser, the header can only +be added by using ``XMLHttpRequest``, and browsers already implement a +same-domain policy for ``XMLHttpRequest``. (Note that this is not secure if you +don't trust content within the same domain or subdomains.) The above two functions of ``CsrfMiddleware`` are split between two classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware``