Django, CSRF protection and js generated form

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Neewok on Stack Overflow See other posts from Stack Overflow or by Neewok
Published on 2010-06-08T03:54:22Z Indexed on 2010/06/08 4:02 UTC
Read the original article Hit count: 325

Filed under:
|
|

I have to create a form dynamically via javascript (yeah, that sounds ugly, but read this for the reason) and wants to make its submission CSRF proof. Usually, I use the @csrf_protect decorator in my views, and the {% csrf_token %} tag in my templates, as recommanded in the doc. But what should I do with a client-side generated form ? If I add a '/get_token/' view to generate a token on the server and obtain its value (say, via JSONP), then that means that I'm creating a backdoor an attacker could use to bypass the protection. Kinda head-scratching.

What would you recommand ?

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about JavaScript

Related posts about django

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle