POST 403 Forbidden for Chrome extension with Django on the backend

Question

I've never developed Chrome extensions before and currently working on the Chrome extension (with link submission functionality) for my Django-powered app. When I try to submit a link using the extension I get the following error:

'POST http://127.0.0.1:8000/add_link_from_extension 403 (FORBIDDEN)'

This can be solved by passing csrfmiddlewaretoken in the postdata JSON, however, obviously I can't do

<script>var csrfmiddlewaretoken = "{{ csrf_token }}"</script>

in the html file from Chrome extension. How would you pass csrf_token from Django to Chrome extension's JavaScript? Alternatively, is there any other way around this issue? Here's the relevant portion of the JS code from the Chrome extension:

postdata = {
        "url":url.value
        //"csrfmiddlewaretoken": csrfmiddlewaretoken 
    };
$.post('http://' + "127.0.0.1:8000" + '/add_link_from_extension', postdata, success);

Answer 1

You can try to set a cookie with the CSRF token (see: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax). Or, simply decorate your view with csrf_exempt.

Personally, I find both methods sub-optimal. Really, if you're going to allow external access to your site through something like a browser extention, you should set up and use an API, and in particular, if you're going to allow any sort of write access, you should add an authentication layer with something like OAuth. django-tastypie is a good drop-in API solution you can try, and it supports OAuth out of the box.