Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Edited ref/contrib/csrf.txt changes from [9554]

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9593 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit e9b90d98998da48d4ac18aabe135fa4200547be5 1 parent 352efd1
Adrian Holovaty authored December 08, 2008

Showing 1 changed file with 18 additions and 10 deletions. Show diff stats Hide diff stats

  1. 28  docs/ref/contrib/csrf.txt
28  docs/ref/contrib/csrf.txt
@@ -35,11 +35,18 @@ Exceptions
35 35
 .. versionadded:: 1.1
36 36
 
37 37
 To manually exclude a view function from being handled by the
38  
-CsrfMiddleware, you can use the ``csrf_exempt`` decorator (found in
39  
-the ``django.contrib.csrf.middleware`` module).
  38
+CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
  39
+the ``django.contrib.csrf.middleware`` module. For example::
40 40
 
41  
-AJAX requests sent with "X-Requested-With: XMLHttpRequest" are
42  
-automatically exempt (see below).
  41
+    from django.contrib.csrf.middleware import csrf_exempt
  42
+
  43
+    def my_view(request):
  44
+        return HttpResponse('Hello world')
  45
+    my_view = csrf_exempt(my_view)
  46
+
  47
+You don't have to worry about doing this for most AJAX views. Any request sent
  48
+with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the next
  49
+section.)
43 50
 
44 51
 How it works
45 52
 ============
@@ -72,12 +79,13 @@ The Content-Type is checked before modifying the response, and only
72 79
 pages that are served as 'text/html' or 'application/xml+xhtml'
73 80
 are modified.
74 81
 
75  
-AJAX requests sent with "X-Requested-With: XMLHttpRequest", as done by
76  
-many AJAX toolkits, are detected and automatically excepted from this
77  
-mechanism.  This is because in the context of a browser, this header
78  
-can only be added by using XMLHttpRequest, and browsers already
79  
-implement a same-domain policy for XMLHttpRequest.  This is not secure
80  
-if you do not trust content within the same domain or sub-domains.
  82
+The middleware tries to be smart about requests that come in via AJAX. Many
  83
+JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header;
  84
+these requests are detected and automatically *not* handled by this middleware.
  85
+We can do this safely because, in the context of a browser, the header can only
  86
+be added by using ``XMLHttpRequest``, and browsers already implement a
  87
+same-domain policy for ``XMLHttpRequest``. (Note that this is not secure if you
  88
+don't trust content within the same domain or subdomains.)
81 89
 
82 90
 The above two functions of ``CsrfMiddleware`` are split between two
83 91
 classes: ``CsrfResponseMiddleware`` and ``CsrfViewMiddleware``

0 notes on commit e9b90d9

Please sign in to comment.
Something went wrong with that request. Please try again.