Protecting XHR requests based on prototype.js from CSRF

Question

Protecting XHR requests based on prototype.js from CSRF

Django has been updated to 1.3, and in fact, since it was 1.2.5, it has expanded the scheme to pass the request security token for the cross-site request to XMLHttpRequests. The Django people help the jQuery example apply a specific header for each XHR.

The prototype (and therefore Scriptaculous) should follow this pattern, but I cannot find a way to tell the prototype to add an X-CSRFToken header. It would be best to do this once so that it applies it through the application (e.g. for jQuery).

Is there any way to do this?

+4

prototypejs ajax django csrf scriptaculous

Lloeki Apr 05 '11 at 12:37

source share

1 answer

clockworkgeek · Accepted Answer · 2011-04-06T13:12:35+0000

This is a wild hunch, but you can try extending the AJAX base class ...

Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap( function (callOriginal, options) { var headers = options.requestHeaders || {}; headers["X-CSRFToken"] = getCookie("csrftoken"); options.requestHeaders = headers; return callOriginal(options); } );

Protecting XHR requests based on prototype.js from CSRF

More articles: