Django: Ajax POST and CSRF giving "403 Forbidden" responses

If you want to protect your site from cross site request forgery, you'll have to enable the CSRF protection middleware.

You can do that by adding "django.middleware.csrf.CsrfViewMiddleware" to your MIDDLEWARE_CLASSES setting.

Once that's done, you have one of two ways to protect yourself.

When rendering forms, you can either:

• use {{ form }} to print the form automatically
• or if rendering manually, use the {% csrf_token %} tag somewhere in the form

When it comes to AJAX however, you'll have to either:

• rewrite the request in a Form (troublesome in most cases)
• add the output of {{ csrf_token }} (this one is not a tag) into an element and manually append it on every Ajax POST request
• use a little jQuery snippet to automatically add in an "X-CSRFToken" header to each POST request

The third method is by far the easiest, and this snippet comes straight from the Django docs!

view sourceprint?

01.$(document).ajaxSend(function(event, xhr, settings) {

02.  function getCookie(name) {

03.    var cookieValue = null;

04. 

05.    if (document.cookie && document.cookie != '') {

06.      var cookies = document.cookie.split(';');

07. 

08.      for (var i = 0; i < cookies.length; i++) {

09.        var cookie = jQuery.trim(cookies[i]);

10. 

11.        // Does this cookie string begin with the name we want?

12.        if (cookie.substring(0, name.length + 1) == (name + '=')) {

13.          cookieValue = decodeURIComponent(cookie.substring(name.length + 1));

14.          break;

15.        }

16.      }

17.    }

18. 

19.    return cookieValue;

20.  }

21. 

22.  function sameOrigin(url) {

23.    // url could be relative or scheme relative or absolute

24.    var host = document.location.host;

25.    // host + port

26.    var protocol = document.location.protocol;

27.    var sr_origin = '//' + host;

28.    var origin = protocol + sr_origin;

29. 

30.    // Allow absolute or scheme relative URLs to same origin

31.    return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||

32.           (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||

33.           // or any other URL that isn't scheme relative or absolute i.e relative.

34.           !(/^(\/\/|http:|https:).*/.test(url));

35.  }

36. 

37.  function safeMethod(method) {

38.    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));

39.  }

40. 

41.  if (!safeMethod(settings.type) && sameOrigin(settings.url)) {

42.    xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

43.  }

44.});

Apparently this snippet will not work for jQuery v1.5 so you have to be using something newer.

Source:

• Cross Site Request Forgery protection

Android: Get file mime type from filename

Man, I wish it were this easy in all languages and platforms!

view sourceprint?

1.import android.webkit.MimeTypeMap;  

2.     

3.MimeTypeMap.getSingleton().getMimeTypeFromExtension(MimeTypeMap.getFileExtensionFromUrl(source.substring(source.lastIndexOf("."))))

Where source would be either a filename or URL.

*same day edit*

Wow, that's a first I've had to update a post a few hours after putting it up.

There was a bug with filenames containing spaces, causing getFileExtensionsFromUrl() to return null.

Sources:

• How to tell what's the MIME type according to the file?
• Android docs: MimeTypeMap

Python: Sort a list/tuple/class by specific field

This is something that I have to do every once in a while and can never remember the method. To save myself some time, I've written this here in hope that I can remember it next time.

view sourceprint?

01.student_tuples = [

02.  ('john', 'A', 15),

03.  ('jane', 'B', 12),

04.  ('dave', 'B', 10),

05.]

06. 

07.# sort by age

08.sorted(student_tuples, key = lambda student: student[2])

09. 

10.[('dave', 'B', 10), ('jane', 'B', 12), ('john', 'A', 15)]

This great example is straight from the Python wiki page.

[ Source ]