On Mon, Nov 5, 2012 at 2:12 PM, Magnus Hagander <magnus@hagander.net> wrote:
> On Fri, Nov 2, 2012 at 4:09 PM, Marti Raudsepp <marti@juffo.org> wrote:
>>
>> On Fri, Nov 2, 2012 at 4:32 PM, Magnus Hagander <magnus@hagander.net>
>> wrote:
>> > No, that's not a problem. We strip cookies in varnish by default. We
>> > only
>> > support them over https...
>>
>> Ahhh! That explains everything. I wasn't aware of the magic that
>> happens on the proxy level. I thought you were relying on Django to
>> not send cookies when not necessary, and the proxy respected the HTTP
>> headers sent by Django like a conforming HTTP proxy.
>>
>> The attached patch adds @csrf_exempt to the survey view and removes
>> csrf_token from the template.
>
>
> Thanks - applied. Please help me keep an extra eye out on things the next
> couple of days to see if we broke something :)
Ugh.
This broke the admin interface form to access varnish. I've mad eit
exempt. Is there any actual reason why we need it in the admin
interface, since you need to have a session logged in as an
administrator already to access it?
It also broke the purging API. Also made exempt, but that appears to
not solve the problem. Do I need to do something more than add
@csrf_exempt to a view functoin to make it not broken? The error
message talks about the referrer header - but surely that shouldn't be
a requirement when oyu've set @csrf_exempt?
And it broke the bug reporting form, also fixed in a separate commit.
We may well have missed more parts :( Clearly neither one of us tested
this patch very well.
If we run into any further issues (assuming we can solve the one
above), we should probably revert the whole thing. But let's hope we
can make it work..
--Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
