Changing CSRF_COOKIE_NAME breaks CSRF handling in DjangoCMS AJAX actions #1147

Closed
pannal opened this Issue Jan 20, 2012 · 2 comments

Projects

None yet

3 participants

@pannal
pannal commented Jan 20, 2012

As /static/cms//js/csrf.js and CMS.API.Security rely on CSRF_COOKIE_NAME being the default which is "csrftoken", ajax features, such as the moderation feature in the pages change list, break when CSRF_COOKIE_NAME is set to something else.

Temporary fix:
Don't change CSRF_COOKIE_NAME ;)

Suggested fix:
settings.CSRF_COOKIE_NAME should be passed to javascript as a cms_setting or something like that, which then could be used in csrf.js and CMS.API.Security instead of getCookie("csrftoken").

@pannal
pannal commented Jan 20, 2012

This also may be the case with cmsplugin_contact, which uses the internal WYMEditor - CSRF failure after clicking "insert plugin" in the editor.

@ojii
Collaborator
ojii commented Jun 26, 2012

we need a new way to handle ajax/csrf

@FinalAngel FinalAngel was assigned Jun 3, 2013
@FinalAngel FinalAngel closed this Jul 9, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment