Allow custom CSRF_HEADER_NAME setting. (#4415)

2024-11-22 17:47:04 +03:00 · 2016-08-18 11:24:03 +01:00 · 2016-08-18 11:24:03 +01:00 · b76984d222
commit b76984d222
parent 966330a85a
4 changed files with 11 additions and 2 deletions
--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@ -645,6 +645,12 @@ class BrowsableAPIRenderer(BaseRenderer):
        else:
            paginator = None

+        csrf_cookie_name = settings.CSRF_COOKIE_NAME
+        csrf_header_name = getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFToken')  # Fallback for Django 1.8
+        if csrf_header_name.startswith('HTTP_'):
+            csrf_header_name = csrf_header_name[5:]
+        csrf_header_name = csrf_header_name.replace('_', '-')
+
        context = {
            'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
            'view': view,
@ -675,7 +681,8 @@ class BrowsableAPIRenderer(BaseRenderer):
            'display_edit_forms': bool(response.status_code != 403),

            'api_settings': api_settings,
-            'csrf_cookie_name': settings.CSRF_COOKIE_NAME,
+            'csrf_cookie_name': csrf_cookie_name,
+            'csrf_header_name': csrf_header_name
        }
        return context

--- a/rest_framework/static/rest_framework/js/csrf.js
+++ b/rest_framework/static/rest_framework/js/csrf.js
@ -46,7 +46,7 @@ $.ajaxSetup({
      // Send the token to same-origin, relative URLs only.
      // Send the token only if the method warrants CSRF protection
      // Using the CSRFToken value acquired earlier
-      xhr.setRequestHeader("X-CSRFToken", csrftoken);
+      xhr.setRequestHeader(window.drf.csrfHeaderName, csrftoken);
    }
  }
 });
--- a/rest_framework/templates/rest_framework/admin.html
+++ b/rest_framework/templates/rest_framework/admin.html
@ -232,6 +232,7 @@
      {% block script %}
        <script>
          window.drf = {
+            csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
            csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
          };
        </script>
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@ -263,6 +263,7 @@
    {% block script %}
      <script>
        window.drf = {
+          csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
          csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
        };
      </script>