From e9342e9b3200bb55d92e67a3b9be7392a3e54b56 Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Mon, 9 May 2011 19:06:57 +0000
Subject: [PATCH] Fixed #15469 - CSRF token is inserted on GET requests

Thanks to goran for report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16191 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 docs/ref/contrib/csrf.txt | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 6d9a33db222..8acab718d30 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -114,7 +114,11 @@ that allow headers to be set on every request. In jQuery, you can use the
                 // or any other URL that isn't scheme relative or absolute i.e relative.
                 !(/^(\/\/|http:|https:).*/.test(url));
         }
-        if (sameOrigin(settings.url)) {
+        function safeMethod(method) {
+            return (method === 'GET' || method === 'HEAD');
+        }
+
+        if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
             xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
         }
     });