Reputation: 1331
Cross-domain CSRF
I've got two different django projects, where one sits on domain A and has a bunch of functionalities (REST among them). Site B is simple and I want to post ajax-forms to site A, but keep csrf security. Is that possible?
Btw sites can share database if necessary.
Upvotes: 5
Views: 2194
Answers (1)
Reputation: 2204
I've had a simillar problem and I've managed to solve it in the following way:
- issue GET request from site B to site A to fetch a form (with csrf field)
- POST the form back to site A.
The main problem for me was to get cross-site ajax requests to work. To achieve that I've had to configure CORS correctly on the server-side (I've slightly edited this middleware: https://gist.github.com/strogonoff/1369619) and set xmlHttp.withCredentials = true (where xmlHttp is my XMLHttpRequest object) in the ajax POST function.
I've tested this solution on two diffenet ports on the same IP address, but I think it should also work cross-domain.
Upvotes: 3
Related Questions
- CSRF fails with multiple domains (not subdomains) served by Django app
- Django CSRF Protection Issue
- CSRF Exempt Django Auth Password Reset View for Cross Domain request
- Implementing Cross-Domain CSRF Protection
- CSRF Verification fails in production for Cross Domain POST request
- Django CSRF Issues
- Cross Site Request Forgery in web services
- CSRF Protection in Django 1.4
- Django csrf token
- CSRF protection in Django