Django CSRF failing with ajax

1
votes

I have a problem with using Django CSRF with Ajax. I get a 403 Forbidden. I have done all the CSRF things that I normally do with a non-ajax request, but I still have this problem. I'm thinking this has something to do with the javascript snippet at https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax.

$(document).ajaxSend(function(event, xhr, settings) {
   function getCookie(name)
   {
      var cookieValue = null;
      if (document.cookie && document.cookie != '')
      {
         var cookies = document.cookie.split(';');
         for (var i = 0; i < cookies.length; i++)
         {
            var cookie = jQuery.trim(cookies[i]);
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) == (name + '='))
            {
               cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
               break;
            }
         }
      }
      return cookieValue;
   }
   function sameOrigin(url)
   {
      // url could be relative or scheme relative or absolute
      var host = document.location.host; // host + port
      var protocol = document.location.protocol;
      var sr_origin = '//' + host;
      var origin = protocol + sr_origin;
      // Allow absolute or scheme relative URLs to same origin
      return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
             (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
             // or any other URL that isn't scheme relative or absolute i.e relative.
             !(/^(\/\/|http:|https:).*/.test(url));
   }
   function safeMethod(method)
   {
      return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
   }
   if (!safeMethod(settings.type) && sameOrigin(settings.url))
   {
      xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
   }
});

I'm not currently using this snippet, mostly because I don't understand a word of it and I don't know how to incorporate it into my jquery ajax call:

function submit_search()
{
   $.ajax({
             data:     {query: document.search_form.query.value},
             datatype: 'json',
             success:  function(data, textStatus, XMLHttpRequest)
                       {
                          if (data)
                          {
                             if (check_authentication(data))
                             {
                                $("#results").html("");
                                var results = data[0];
                                var length = data[1];
                                for (var index = 0; index < results.length; ++index)
                                {
                                   var result = results[index];
                                   $("#results").append("<p><a href='/entities/" + result["id"] + "'>" + result["name"] +
                                                        "</a><br />" + result["description"] + "</p>");
                                }
                             }
                             else
                             {
                                offer_login();
                             }
                          }
                       },
             type:     'POST',
             url:      '/ajax/search',
          });
}

Does anyone know how I should go about adding this snippet to my code?

Also tried:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
            // Only send the token to relative URLs i.e. locally.
            xhr.setRequestHeader("X-CSRFToken",
                                 $("#csrfmiddlewaretoken").val());
        }
    }
});

but this also does not seem to work, although I'm not sure whether I should be doing something for the bit about #csrfmiddlewaretoken in my form

Thanks

2
ajaxdjangocsrf

2 Answers

3
votes

All you need to do is paste the code block in such a way that the code in it runs. If you have a global JS file, you should be able to just add that JavaScript to the end of said file, and it will fix the problem.

1
votes

well, couple steps required as stated in https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

To summarize the tedious django doc, you will need to: 1. install jquery.cookie plugins 2. make sure crsf_token is passing around

for example, in your template, the form must contain the following hidden field

<input type="hidden" name="csrfmiddlewaretoken" value="{{csrf_token}}"/>

In your ajax request, you should so similar things like

csrf_token = $.cookie('csrftoken');
$.ajax({
   url: '/url/',
           type: 'POST',
           beforeSend: function(xhr, settings) {
               xhr.setRequestHeader("X-CSRFToken", csrf_token);
            },
           data: $('.form').serialize(), //assume you are submit a form
 }).done(function(response){
         console.log(response)
 });

one small tricks that you might be missing is, your landing page(non-ajax) will need @csrf_protect decorator to set up cookie, if you don't do that, the cookie won't exists and the method will fail. If you don't want to do @csrf_protect decorator, you can always refer back to the doc and specifically setup the cookie. Either way will work.

Hope this helps.