Commit cfc1756e authored by Luke Plant's avatar Luke Plant
Browse files

[1.2.X] Fixed #15469 - CSRF token is inserted on GET requests 

Thanks to goran for report.

Backport of [16191] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16194 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 87fa64ca

docs/ref/contrib/csrf.txt

+5 −1
Original line number Diff line number Diff line
@@ -124,7 +124,11 @@ that allow headers to be set on every request. In jQuery, you can use the 
                // or any other URL that isn't scheme relative or absolute i.e relative.

                !(/^(\/\/|http:|https:).*/.test(url));

        }

        if (sameOrigin(settings.url)) {

        function safeMethod(method) {

            return (method === 'GET' || method === 'HEAD');

        }



        if (!safeMethod(settings.type) && sameOrigin(settings.url)) {

            xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

        }

    });