In Django, when the CSRF_COOKIE_HTTPONLY parameter CSRF_COOKIE_HTTPONLY set to True, the CSRF cookie gets the httponly flag, which is security-friendly, but breaks the standard angular solution of adding this cookie to httpProvider, as shown below
$httpProvider.defaults.xsrfCookieName = 'csrftoken'; $httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken';
Through Django 1.9 there was a workaround in which you could simply pass the cookie directly to the application by placing it in the template:
<script> window.csrf_token = "{{ csrf_token }}"; </script>
And adding this to the angular app:
angularApp.config(["$httpProvider", function($httpProvider)e { $httpProvider.defaults.headers.common["X-CSRFToken"] = window.csrf_token; }]
Unfortunately, this does not work for single-page angular applications in Django 1.10+, since the CSRF cookie changes after each request. How do you make email requests from angular to Django 1.10+ with CSRF_COOKIE_HTTPONLY set to?
NB: Disabling CSRF protection is not an acceptable response.
angularjs django cookies csrf django-csrf
Zags Nov 28 '16 at 18:55 2016-11-28 18:55
source share