From c391021c70cdd529e998a8f6f53fbe68ac37255b Mon Sep 17 00:00:00 2001 From: Christopher Groskopf Date: Wed, 8 Aug 2012 16:20:12 -0500 Subject: [PATCH] Add note for posterity. --- panda/api/utils.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/panda/api/utils.py b/panda/api/utils.py index 2c038f1..76182ad 100644 --- a/panda/api/utils.py +++ b/panda/api/utils.py @@ -132,6 +132,8 @@ def try_sessions(self, request, **kwargs): if not same_origin(referer, good_referer): return False + # Tastypie docstring says accessing POST here isn't safe, but so far it's not causing any problems... + # This is necessary for downloads that post the csrf token from an iframe request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') or request.POST.get('csrfmiddlewaretoken', '') if not constant_time_compare(request_csrf_token, csrf_token):