Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests

Thanks to brodie for the report, and further input from tow21 This is a potentially backwards incompatible change - if you were doing PUT/DELETE requests and relying on the lack of protection, you will need to update your code, as noted in the releaste notes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2011-05-09 23:45:54 +00:00
parent 8cbcf1d3a6
commit cb060f0f34
4 changed files with 65 additions and 16 deletions
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -214,3 +214,15 @@ you should add the following lines in your settings file::

 Don't forget to escape characters that have a special meaning in a regular
 expression.
+
+CSRF protection extended to PUT and DELETE
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Previously, Django's :doc:`CSRF protection </ref/contrib/csrf/>` provided
+protection against only POST requests. Since use of PUT and DELETE methods in
+AJAX applications is becoming more common, we now protect all methods not
+defined as safe by RFC 2616 i.e. we exempt GET, HEAD, OPTIONS and TRACE, and
+enforce protection on everything.
+
+If you using PUT or DELETE methods in AJAX applications, please see the
+:ref:`instructions about using AJAX and CSRF <csrf-ajax>`.