Skip to content

Commit

Permalink
Allow custom CSRF_HEADER_NAME setting. (#4415)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomchristie
tomchristie authored Aug 18, 2016
1 parent 966330a commit b76984d
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 2 deletions.
9 changes: 8 additions & 1 deletion rest_framework/renderers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -645,6 +645,12 @@ def get_context(self, data, accepted_media_type, renderer_context):
else:
paginator = None

csrf_cookie_name = settings.CSRF_COOKIE_NAME
csrf_header_name = getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFToken') # Fallback for Django 1.8
if csrf_header_name.startswith('HTTP_'):
csrf_header_name = csrf_header_name[5:]
csrf_header_name = csrf_header_name.replace('_', '-')

context = {
'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
'view': view,
Expand Down Expand Up @@ -675,7 +681,8 @@ def get_context(self, data, accepted_media_type, renderer_context):
'display_edit_forms': bool(response.status_code != 403),

'api_settings': api_settings,
'csrf_cookie_name': settings.CSRF_COOKIE_NAME,
'csrf_cookie_name': csrf_cookie_name,
'csrf_header_name': csrf_header_name
}
return context

Expand Down
2 changes: 1 addition & 1 deletion rest_framework/static/rest_framework/js/csrf.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ $.ajaxSetup({
// Send the token to same-origin, relative URLs only.
// Send the token only if the method warrants CSRF protection
// Using the CSRFToken value acquired earlier
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader(window.drf.csrfHeaderName, csrftoken);
}
}
});
1 change: 1 addition & 0 deletions rest_framework/templates/rest_framework/admin.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,7 @@ <h4 class="modal-title" id="myModalLabel">{{ error_title }}</h4>
{% block script %}
<script>
window.drf = {
csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
};
</script>
Expand Down
1 change: 1 addition & 0 deletions rest_framework/templates/rest_framework/base.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,7 @@ <h1>{{ name }}</h1>
{% block script %}
<script>
window.drf = {
csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"

This comment has been minimized.

Sign in to view

Copy link
@tomchristie

tomchristie Aug 23, 2016

Author Member

Thanks!
csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
};
</script>
Expand Down

0 comments on commit b76984d

Please sign in to comment.