3

I've got Pyjamas and Django running via Apache2 with mod_wsgi on Windows 7. I do not believe I'm getting issues from the setups of these things, though: the only thing that is not working is trying to POST information from Pyjamas-generated forms. Trying to use Pyjamas-generated forms in my application produces 403s (the "CSRF verification failed" error page).

I have spent hours on this and read all of the answers I could find on here related to CSRF and Pyjamas, and done a lot of external research just on CSRF and Django, Django and Ajax, etc. If this question isn't reaching anyone who has knows just what to do in this situation, I think I've whittled down the essence of the question.

How would one get the {% csrf_token %} into the Pyjamas-generated form? It seems like it might be impossible, because from what I understand CSRF tokens are not persistent, which a Pyjamas-generated page is ... My Pyjamas page is generated from a Pyjamas .py file, resulting in a folder full of hard-coded stuff. How is it that I would integrate the current CSRF token into that already-coded form?

Please don't hesitate to ask for more details, this issue has been incredibly hard to navigate. None of the published information on integrating Pyjamas & Django regards this; and the only solutions I've found that seem aware of CSRF in Django say you should probably just disable CSRF protection (which I could do, but what protection could I put in place of it? My own cookie system? Is it a terrible idea to disable CSRF protection in any case?).

Thank you!

floer32
  • 2,190
  • 4
  • 29
  • 50

1 Answers1

3

You'll need to write some JavaScript to get the CSRF token from the cookie (part of the HTTP request), then add it to the form on submit.

Look at this answer for a starting point: Django CSRF check failing with an Ajax POST request

The key here is that the JavaScript can be as persistent as your Pyjamas-generated files, because they defer handling the token until the form is submitted.

Community
  • 1
  • 1
Mike DeSimone
  • 41,631
  • 10
  • 72
  • 96
  • Okay, I understand that I would add the relevant Javascript into the .py Pyjamas file before compiling. But the link you provided seems to be jQuery-specific, and as somebody who understands very little of JavaScript (and by extension, of jQuery), I am not sure how I'd adapt that to be jQuery-independent ... This sounds like just the right solution, but just how jQuery-dependent is the code in that answer, do you know? – floer32 Oct 18 '11 at 23:24
  • 1
    I'm not a JavaScript master myself, and it would be easier for you to either put jQuery in your page or at least download the non-minified version and extract the `trim` function. It's probably something trivial like stripping whitespace from the start and end of a string. The part you want from the answer is `function getCookie(name)`. Then you can use `getCookie('csrftoken')` to get thee cookie data and add it as a hidden field to your form (which is all the `{% csrf_token %}` template does anyway). – Mike DeSimone Oct 19 '11 at 18:31
  • Okay, that seemed like the ticket, and I'm sure it would be if I could just get Django to serve up the relevant Pyjamas page in a reasonable way, but I'm tired of hacking the URLs interface of Django to get Pyjamas to even show up correctly ... Too many frustrations and not enough documentation to keep going with this Pyjamas thing. Seems like it could be cool when not integrating with Django, but documentation on that integration is sorely lacking. I'm going to switch to jQuery entirely. Thank you for your time though!! – floer32 Oct 20 '11 at 03:24