Allow custom CSRF_HEADER_NAME setting. (#4415)

b76984d2 · Tom Christie · GitHub · 966330a8 · b76984d2 · b76984d2
Commit b76984d2 authored Aug 18, 2016 by Tom Christie Committed by GitHub Aug 18, 2016
Showing with 11 additions and 2 deletions

rest_framework/renderers.py
+8 -1

rest_framework/static/rest_framework/js/csrf.js
+1 -1

rest_framework/templates/rest_framework/admin.html
+1 -0

rest_framework/templates/rest_framework/base.html
+1 -0

No files found.
--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@@ -645,6 +645,12 @@ class BrowsableAPIRenderer(BaseRenderer):
        else:
            paginator = None

+        csrf_cookie_name = settings.CSRF_COOKIE_NAME
+        csrf_header_name = getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFToken')  # Fallback for Django 1.8
+        if csrf_header_name.startswith('HTTP_'):
+            csrf_header_name = csrf_header_name[5:]
+        csrf_header_name = csrf_header_name.replace('_', '-')
+
        context = {
            'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
            'view': view,
@@ -675,7 +681,8 @@ class BrowsableAPIRenderer(BaseRenderer):
            'display_edit_forms': bool(response.status_code != 403),

            'api_settings': api_settings,
-            'csrf_cookie_name': settings.CSRF_COOKIE_NAME,
+            'csrf_cookie_name': csrf_cookie_name,
+            'csrf_header_name': csrf_header_name
        }
        return context


--- a/rest_framework/static/rest_framework/js/csrf.js
+++ b/rest_framework/static/rest_framework/js/csrf.js
@@ -46,7 +46,7 @@ $.ajaxSetup({
      // Send the token to same-origin, relative URLs only.
      // Send the token only if the method warrants CSRF protection
      // Using the CSRFToken value acquired earlier
-      xhr.setRequestHeader("X-CSRFToken", csrftoken);
+      xhr.setRequestHeader(window.drf.csrfHeaderName, csrftoken);
    }
  }
 });
--- a/rest_framework/templates/rest_framework/admin.html
+++ b/rest_framework/templates/rest_framework/admin.html
@@ -232,6 +232,7 @@
      {% block script %}
        <script>
          window.drf = {
+            csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
            csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
          };
        </script>

--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@@ -263,6 +263,7 @@
    {% block script %}
      <script>
        window.drf = {
+          csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
          csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
        };
      </script>