How do you handle csrf credentials sent to django as url parameters?
I ask because that is, evidently, the only way to submit a file upload via a form in an iFrame.
Most online examples show to pass csrf credentials as headers,
xhr.setRequestHeader("X-CSRFToken", csrfToken );
but this is not an option for iFrame transport in ie/opera.
I can use csrf_exempt
, but this leaves my site vulnerable.
You could create some middleware that takes csrf_token
from the GET params and places it on the request before CsrfViewMiddleware
attempts to validate
class CsrfGetParamMiddleware(object):
def process_request(self, request):
request.META['HTTP_X_CSRFTOKEN'] = request.GET.get('csrf_token')
return None
Place this middleware above the CsrfViewMiddleware
MIDDLEWARE_CLASSES = (
'CsrfGetParamMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
)
This save you from validating it yourself or subclassing CsrfViewMiddleware