From 840314bde48f8df47b9b6f6a32b1051b9980df30 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Sat, 12 Feb 2011 23:49:18 +0000 Subject: [PATCH] [1.1.X] Fixed #15284 - improved example jQuery code for adding X-CSRF-Token Using the ajaxSend event is better than beforeSend, because the beforeSend callback can have only one value, which makes it painful if it is needed by multiple bits of javascript. Thanks to LukeMaurer for report and initial patch. Backport of [15515] from trunk. This is backported to 1.1.X because it really belongs with security patch [15466] git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15518 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/ref/contrib/csrf.txt | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 0c4b4006c2..45d4b459c7 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -48,17 +48,15 @@ document and pass it in as POST data with every POST request. For this reason, there is an alternative method: on each XMLHttpRequest, set a custom `X-CSRFToken` header to the value of the CSRF token. This is often easier, because many javascript frameworks provide hooks that allow headers to be set on -every request. In jQuery, you can use the ``beforeSend`` hook as follows: +every request. In jQuery, you can use the ``ajaxSend`` event as follows: .. code-block:: javascript - $.ajaxSetup({ - beforeSend: function(xhr, settings) { - if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { - // Only send the token to relative URLs i.e. locally. - xhr.setRequestHeader("X-CSRFToken", - $("#csrfmiddlewaretoken").val()); - } + $('html').ajaxSend(function(event, xhr, settings) { + if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { + // Only send the token to relative URLs i.e. locally. + xhr.setRequestHeader("X-CSRFToken", + $("#csrfmiddlewaretoken").val()); } });