archive/pillar
0
0
Fork 0
Code Issues 42 Pull Requests Projects Releases Wiki Activity

Update flask_wtf to 0.14.2 and make CSRFProtect available to current_app

Browse Source 
By default CSRF protection is disabled for all views, since most
web endpoints and all API endpoints do not need it.
On the views that require it, we use the 
current_app.csrf.protect() method.
This commit is contained in:
Francesco Siddi
2018-03-28 22:05:54 +02:00
parent fc9c518c2a
commit e69f991aa6
6 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/templates/layout.pug
View File

@@ -87,7 +87,16 @@ html(lang="en")
| {% block footer_scripts_pre %}{% endblock %}
| {% block footer_scripts %}{% endblock %}
script.
// When sending an AJAX request, always add the X-CSRFToken header to it.
var csrf_token = "{{ csrf_token() }}";
$.ajaxSetup({
beforeSend: function (xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrf_token);
}
}
});
script.
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){