On Fri, Nov 2, 2012 at 4:09 PM, Marti Raudsepp <marti@juffo.org> wrote:
On Fri, Nov 2, 2012 at 4:32 PM, Magnus Hagander <magnus@hagander.net> wrote: > No, that's not a problem. We strip cookies in varnish by default. We only > support them over https...
Ahhh! That explains everything. I wasn't aware of the magic that happens on the proxy level. I thought you were relying on Django to not send cookies when not necessary, and the proxy respected the HTTP headers sent by Django like a conforming HTTP proxy.
The attached patch adds @csrf_exempt to the survey view and removes csrf_token from the template.
Thanks - applied. Please help me keep an extra eye out on things the next couple of days to see if we broke something :)
> if we have any other such pages (other than the search, but we can certainly > disable CSRF for search, right?)
Search uses GET parameters so it already bypasses CSRF.
