2

How do you handle csrf credentials sent to django as url parameters?

I ask because that is, evidently, the only way to submit a file upload via a form in an iFrame.

Most online examples show to pass csrf credentials as headers, 

xhr.setRequestHeader("X-CSRFToken", csrfToken );

but this is not an option for iFrame transport in ie/opera.

I can use csrf_exempt, but this leaves my site vulnerable.

Improve this question
0

1 Answer 1

Reset to default
2

You could create some middleware that takes csrf_token from the GET params and places it on the request before CsrfViewMiddleware attempts to validate

class CsrfGetParamMiddleware(object):
    def process_request(self, request):
        request.META['HTTP_X_CSRFTOKEN'] = request.GET.get('csrf_token')
        return None

Place this middleware above the CsrfViewMiddleware

MIDDLEWARE_CLASSES = (
    'CsrfGetParamMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
)

This save you from validating it yourself or subclassing CsrfViewMiddleware

Improve this answer
4
  • v interesting idea, but are there security precautions that need to be taken into account using csrf as a url parameter in the 1st place?
    – jedierikb
    Commented May 2, 2013 at 15:20
  • 1
    TBH I'm not sure, according to stackoverflow.com/a/198473/682968 GET and POST have the same level of security so its really no different to POSTing a form 'normally'. Also the csrf token is freely available in the page source as well so anyone could read it there too.
    – rockingskier
    Commented May 2, 2013 at 15:25
  • 1
    @rockingskier: The answer you are referring to was accepted, but gained more than 3 times fewer votes than some other answer (stackoverflow.com/a/1744404/548696), not without a reason.
    – Tadeck
    Commented May 6, 2013 at 23:30
  • @Tadeck, so it did, thanks for pointing to the better answer.
    – rockingskier
    Commented May 7, 2013 at 8:40

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.