Django - How to do CSFR on public pages? Or, better yet, how should it be used period?

Posted by orokusaki on Stack Overflow See other posts from Stack Overflow or by orokusaki
Published on 2010-03-12T01:10:10Z Indexed on 2010/03/12 1:17 UTC
Read the original article Hit count: 511

Filed under:

csrf

|

django-csrf

|

django

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it

I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct?

I guess I don't really understand when it's safe to use this because of this statement:

This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

The reason it's confusing is that to me an "external URL" would be on that isn't part of my domain (ie, I own www.example.com and put a form that posts to www.spamfoo.com. This obviously can't be the case since people wouldn't use Django for generating forms that post to other people's websites, but how could it be true that you can't use CSRF protection on public forms (like a login form)?

© Stack Overflow or respective owner

Related posts about csrf

Django CSRF framework cannot be disabled and is breaking my site

as seen on Stack Overflow - Search for 'Stack Overflow'
The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware? I have to disable it because there are lots… >>> More
Make CSRF middleware work in Django's 404 error pages

as seen on Stack Overflow - Search for 'Stack Overflow'
I put a login box alone with a keyword search box in 404.html in a Django project so in case a 404 error is raised, visitors get more options to jump to other parts. But the CSRF middleware doesn't work in 404 error page with no csrf token rendered. I tried move 'django.middleware.csrf.CsrfViewMiddleware'… >>> More
CSRF (Cross-site request forgery) attack example and prevention in PHP

as seen on Stack Overflow - Search for 'Stack Overflow'
I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this: http://mysite… >>> More
Having a POST'able API and Django's CSRF Middleware

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403. I understand why this is happening, but what is the proper… >>> More
HtmlUnit to login (post form) to csrf enable website

as seen on Stack Overflow - Search for 'Stack Overflow'
I am posting a form using HTMLUnit webClient by putting the username and password but it could not logging me in. When i research then found out that they have enable csrf on post request so native web browser is required. Is there any way to login (post form) in csrf enable website using HTMLUnit… >>> More

Related posts about django-csrf

Django CSRF failure when form posts to a different frame

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm building a page where I want to have a form that posts to an iframe on the same page. The Template looks like this: <form action="form-results" method="post" target="resultspane" > {% csrf_token %} <input name="query"> <input type=submit> </form> … >>> More
Django CSRF framework cannot be disabled and is breaking my site

as seen on Stack Overflow - Search for 'Stack Overflow'
The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware? I have to disable it because there are lots… >>> More
Having a POST'able API and Django's CSRF Middleware

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403. I understand why this is happening, but what is the proper… >>> More
Django, CSRF protection and js generated form

as seen on Stack Overflow - Search for 'Stack Overflow'
I have to create a form dynamically via javascript (yeah, that sounds ugly, but read this for the reason) and wants to make its submission CSRF proof. Usually, I use the @csrf_protect decorator in my views, and the {% csrf_token %} tag in my templates, as recommanded in the doc. But what should I… >>> More
Django - How to do CSFR on public pages? Or, better yet, how should it be used period?

as seen on Stack Overflow - Search for 'Stack Overflow'
After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct? I guess I don't really understand when it's safe to use… >>> More