Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Fixed #15469 - CSRF token is inserted on GET requests

Thanks to goran for report.

Backport of [16191] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16194 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit cfc1756ef57b019b772ac60e651a76fe2d41a7e1 1 parent 87fa64c
Luke Plant authored May 09, 2011

Showing 1 changed file with 5 additions and 1 deletion. Show diff stats Hide diff stats

  1. 6  docs/ref/contrib/csrf.txt
6  docs/ref/contrib/csrf.txt
@@ -124,7 +124,11 @@ that allow headers to be set on every request. In jQuery, you can use the
124 124
                 // or any other URL that isn't scheme relative or absolute i.e relative.
125 125
                 !(/^(\/\/|http:|https:).*/.test(url));
126 126
         }
127  
-        if (sameOrigin(settings.url)) {
  127
+        function safeMethod(method) {
  128
+            return (method === 'GET' || method === 'HEAD');
  129
+        }
  130
+
  131
+        if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
128 132
             xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
129 133
         }
130 134
     });

0 notes on commit cfc1756

Please sign in to comment.
Something went wrong with that request. Please try again.