Skip to content

Commit

Permalink
Merge pull request #1397 from 18F/feature/set-secure-csrf-cookie
Browse files Browse the repository at this point in the history 
Fixed CSRF token not being available for Feedback form
  • Loading branch information
@johnnyporkchops
johnnyporkchops authored Oct 26, 2017
2 parents a29afe9 + a1b2c8f commit 73685ac
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 3 deletions.
2 changes: 2 additions & 0 deletions fec/data/templates/layouts/main.jinja
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,8 @@

{% include './partials/glossary.html' %}

{% csrf_token %}

{% block modals %}{% endblock %}
<script src="{{ asset_for_js('vendor.js') }}"></script>
<script src="{{ asset_for_js('data-init.js') }}"></script>
Expand Down
2 changes: 0 additions & 2 deletions fec/data/views.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
from django.views.decorators.csrf import ensure_csrf_cookie
from django.shortcuts import render
from django.http import Http404
from django.http import JsonResponse
Expand Down Expand Up @@ -443,7 +442,6 @@ def spending(request):
})


@ensure_csrf_cookie
def feedback(request):
if request.method == 'POST':

Expand Down
2 changes: 1 addition & 1 deletion fec/fec/static/js/modules/feedback.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ Feedback.prototype.submit = function(e) {
beforeSend: function(xhr, settings) {
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
xhr.setRequestHeader('X-CSRFToken', helpers.getCookie('csrftoken'));
xhr.setRequestHeader('X-CSRFToken', $('input[name="csrfmiddlewaretoken"]').val());
}
}
});
Expand Down
2 changes: 2 additions & 0 deletions fec/fec/templates/base.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@ <h2 style="color: #ffffff">Your browser is outdated</h2>

{% include './partials/glossary.html' %}

{% csrf_token %}

<script>
window.CMS_URL = '{{ cms_url }}'
window.FEC_APP_URL = '{{ settings.FEC_APP_URL }}';
Expand Down

0 comments on commit 73685ac

Please sign in to comment.