[1.3.X] Fixed #15469 - CSRF token is inserted on GET requests

Thanks to goran for report. Backport of [16191] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 21:37:52 +00:00 · 2011-05-09 21:37:52 +00:00 · fb052a15ed
parent b3a4613595
commit fb052a15ed
1 changed files with 5 additions and 1 deletions
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@ -124,7 +124,11 @@ that allow headers to be set on every request. In jQuery, you can use the
                // or any other URL that isn't scheme relative or absolute i.e relative.
                !(/^(\/\/|http:|https:).*/.test(url));
        }
-        if (sameOrigin(settings.url)) {
+        function safeMethod(method) {
+            return (method === 'GET' || method === 'HEAD');
+        }
+
+        if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
            xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
        }
    });