Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Fixed #15245 -- Added note about the CSRF AJAX exception to t…

…he 1.2.5 release notes. Thanks to Matt Austin for the report.

Backport of r15478 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15480 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit e62e740732beed767da10312714ae380d6dc92b1 1 parent 66dc41a
Russell Keith-Magee authored February 09, 2011

Showing 1 changed file with 60 additions and 1 deletion. Show diff stats Hide diff stats

  1. 61  docs/releases/1.2.5.txt
61  docs/releases/1.2.5.txt
@@ -7,7 +7,7 @@ Welcome to Django 1.2.5!
7 7
 This is the fifth "bugfix" release in the Django 1.2 series,
8 8
 improving the stability and performance of the Django 1.2 codebase.
9 9
 
10  
-With two exceptions, Django 1.2.5 maintains backwards compatibility
  10
+With three exceptions, Django 1.2.5 maintains backwards compatibility
11 11
 with Django 1.2.4, but contain a number of fixes and other
12 12
 improvements. Django 1.2.5 is a recommended upgrade for any
13 13
 development or deployment currently using or targeting Django 1.2.
@@ -18,6 +18,65 @@ deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.
18 18
 Backwards incompatible changes
19 19
 ==============================
20 20
 
  21
+CSRF exception for AJAX requests
  22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  23
+
  24
+Django includes a CSRF-protection mechanism, which makes use of a
  25
+token inserted into outgoing forms. Middleware then checks for the
  26
+token's presence on form submission, and validates it.
  27
+
  28
+Prior to Django 1.2.5, our CSRF protection made an exception for AJAX
  29
+requests, on the following basis:
  30
+
  31
+    * Many AJAX toolkits add an X-Requested-With header when using
  32
+      XMLHttpRequest.
  33
+
  34
+    * Browsers have strict same-origin policies regarding
  35
+      XMLHttpRequest.
  36
+
  37
+    * In the context of a browser, the only way that a custom header
  38
+      of this nature can be added is with XMLHttpRequest.
  39
+
  40
+Therefore, for ease of use, we did not apply CSRF checks to requests
  41
+that appeared to be AJAX on the basis of the X-Requested-With header.
  42
+The Ruby on Rails web framework had a similar exemption.
  43
+
  44
+Recently, engineers at Google made members of the Ruby on Rails
  45
+development team aware of a combination of browser plugins and
  46
+redirects which can allow an attacker to provide custom HTTP headers
  47
+on a request to any website. This can allow a forged request to appear
  48
+to be an AJAX request, thereby defeating CSRF protection which trusts
  49
+the same-origin nature of AJAX requests.
  50
+
  51
+Michael Koziarski of the Rails team brought this to our attention, and
  52
+we were able to produce a proof-of-concept demonstrating the same
  53
+vulnerability in Django's CSRF handling.
  54
+
  55
+To remedy this, Django will now apply full CSRF validation to all
  56
+requests, regardless of apparent AJAX origin. This is technically
  57
+backwards-incompatible, but the security risks have been judged to
  58
+outweigh the compatibility concerns in this case.
  59
+
  60
+Additionally, Django will now accept the CSRF token in the custom HTTP
  61
+header X-CSRFTOKEN, as well as in the form submission itself, for ease
  62
+of use with popular JavaScript toolkits which allow insertion of
  63
+custom headers into all AJAX requests.
  64
+
  65
+The following example using the jQuery JavaScript toolkit demonstrates
  66
+this; the call to jQuery's ajaxSetup will cause all AJAX requests to
  67
+send back the CSRF token in the custom X-CSRFTOKEN header::
  68
+
  69
+    $.ajaxSetup({
  70
+            beforeSend: function(xhr, settings) {
  71
+                if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
  72
+                    // Only send the token to relative URLs i.e. locally.
  73
+                    xhr.setRequestHeader("X-CSRFToken",
  74
+                                         $("#csrfmiddlewaretoken").val());
  75
+                }
  76
+            }
  77
+        });
  78
+
  79
+
21 80
 FileField no longer deletes files
22 81
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23 82
 

0 notes on commit e62e740

Please sign in to comment.
Something went wrong with that request. Please try again.