Code Monkey home page Code Monkey logo

Comments (5)

adamchainz avatar adamchainz commented on August 19, 2024 1

Yes please open another issue. I'm not sure but I think just disabling CSRF is the sensible thing, since we're explicitly allowing cross-site requests. Also most people use CORS to protect API's which take JSON, rather than html form data, which is what CSRF is mostly about protecting.

from django-cors-headers.

brad avatar brad commented on August 19, 2024

Is it failing on POST requests only? I had that problem and found that I had to add the csrf token from the API server to the AJAX request header named X-CSRFToken. To get the token, in the API view I added the token to the response in a header.

from django-cors-headers.

danielmbaluka avatar danielmbaluka commented on August 19, 2024

@brad how did you solve this in the APIView? Some code snippet?

from django-cors-headers.

adamchainz avatar adamchainz commented on August 19, 2024

Django has some docs on adding this to all AJAX requests: https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax

Hope that helps, closing this issue as it's old

from django-cors-headers.

ustun avatar ustun commented on August 19, 2024

Well, Django docs actually does not address this issue. There, it is suggested that you read the CSRF token from the cookie on the API server, but in a cors setting this is not possible.

That is, if I have two servers, API server and the cross-origin server, the cross-origin server cannot access the cookies of the API server, hence cannot set the X-CSRF header.

The only way I can think of is to add another endpoint to the API server that returns the CSRF token in a GET request, and then save that in the cross-origin server's code and use that in further POST requests, however that doesn't seem very secure according to https://github.com/pillarjs/understanding-csrf/

Also see pillarjs/understanding-csrf#6 .

Here, it seems to suggest that having a special endpoint for /csrf seems OK as long as we only allow CORS access from the cross-origin server we explicitly manage.

However, I am still not sure what the best way to deal with CSRF in a CORS setting. Should we just ignore CSRF for CORS? Some pointers in the docs regarding that would be helpful. I can open another issue for that if you like.

from django-cors-headers.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.