Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #15469 - CSRF token is inserted on GET requests

Thanks to goran for report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16191 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit e9342e9b3200bb55d92e67a3b9be7392a3e54b56 1 parent 7c648ea
Luke Plant spookylukey authored
Showing with 5 additions and 1 deletion.
  1. +5 −1 docs/ref/contrib/csrf.txt
6 docs/ref/contrib/csrf.txt
View
@@ -114,7 +114,11 @@ that allow headers to be set on every request. In jQuery, you can use the
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
- if (sameOrigin(settings.url)) {
+ function safeMethod(method) {
+ return (method === 'GET' || method === 'HEAD');
+ }
+
+ if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});
Please sign in to comment.
Something went wrong with that request. Please try again.