def process_response(self, request, response): """Set the cross-domain CSRF cookie. """ # Check whether this is a secure request from a domain on our whitelist. if not is_cross_domain_request_allowed(request): log.debug("Could not set cross-domain CSRF cookie.") return response # Check whether (a) the CSRF middleware has already set a cookie, and # (b) this is a view decorated with `@ensure_cross_domain_csrf_cookie` # If so, we can send the cross-domain CSRF cookie. should_set_cookie = (request.META.get('CROSS_DOMAIN_CSRF_COOKIE_USED', False) and request.META.get('CSRF_COOKIE_USED', False) and request.META.get('CSRF_COOKIE') is not None) if should_set_cookie: # This is very similar to the code in Django's CSRF middleware # implementation, with two exceptions: # 1) We change the cookie name and domain so it can be used cross-domain. # 2) We always set "secure" to True, so that the CSRF token must be # sent over a secure connection. response.set_cookie( settings.CROSS_DOMAIN_CSRF_COOKIE_NAME, request.META['CSRF_COOKIE'], max_age=settings.CSRF_COOKIE_AGE, domain=settings.CROSS_DOMAIN_CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=True) log.debug("Set cross-domain CSRF cookie '%s' for domain '%s'", settings.CROSS_DOMAIN_CSRF_COOKIE_NAME, settings.CROSS_DOMAIN_CSRF_COOKIE_DOMAIN) return response
def enforce_csrf(self, request): """Skip the referer check if the cross-domain request is allowed. """ if is_cross_domain_request_allowed(request): with skip_cross_domain_referer_check(request): return super(SessionAuthenticationCrossDomainCsrf, self).enforce_csrf(request) else: return super(SessionAuthenticationCrossDomainCsrf, self).enforce_csrf(request)
def process_view(self, request, callback, callback_args, callback_kwargs): """Skip the usual CSRF referer check if this is an allowed cross-domain request. """ if not is_cross_domain_request_allowed(request): log.debug("Could not disable CSRF middleware referer check for cross-domain request.") return with skip_cross_domain_referer_check(request): return super(CorsCSRFMiddleware, self).process_view(request, callback, callback_args, callback_kwargs)
def process_view(self, request, callback, callback_args, callback_kwargs): """Skip the usual CSRF referer check if this is an allowed cross-domain request. """ if not is_cross_domain_request_allowed(request): log.debug( "Could not disable CSRF middleware referer check for cross-domain request." ) return with skip_cross_domain_referer_check(request): return super(CorsCSRFMiddleware, self).process_view(request, callback, callback_args, callback_kwargs)
def process_response(self, request, response): """Set the cross-domain CSRF cookie. """ # Check whether this is a secure request from a domain on our whitelist. if not is_cross_domain_request_allowed(request): log.debug("Could not set cross-domain CSRF cookie.") return response # Check whether (a) the CSRF middleware has already set a cookie, and # (b) this is a view decorated with `@ensure_cross_domain_csrf_cookie` # If so, we can send the cross-domain CSRF cookie. should_set_cookie = ( request.META.get('CROSS_DOMAIN_CSRF_COOKIE_USED', False) and request.META.get('CSRF_COOKIE_USED', False) and request.META.get('CSRF_COOKIE') is not None ) if should_set_cookie: # This is very similar to the code in Django's CSRF middleware # implementation, with two exceptions: # 1) We change the cookie name and domain so it can be used cross-domain. # 2) We always set "secure" to True, so that the CSRF token must be # sent over a secure connection. response.set_cookie( settings.CROSS_DOMAIN_CSRF_COOKIE_NAME, request.META['CSRF_COOKIE'], max_age=settings.CSRF_COOKIE_AGE, domain=settings.CROSS_DOMAIN_CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=True ) log.debug( "Set cross-domain CSRF cookie '%s' for domain '%s'", settings.CROSS_DOMAIN_CSRF_COOKIE_NAME, settings.CROSS_DOMAIN_CSRF_COOKIE_DOMAIN ) return response