1. ==========================

  2. Django 1.1.4 release notes

  3. ==========================

  4. 

  5. Welcome to Django 1.1.4!

  6. 

  7. This is the fourth "bugfix" release in the Django 1.1 series,

  8. improving the stability and performance of the Django 1.1 codebase.

  9. 

  10. With one exception, Django 1.1.4 maintains backwards compatibility

  11. with Django 1.1.3. It also contains a number of fixes and other

  12. improvements. Django 1.1.4 is a recommended upgrade for any

  13. development or deployment currently using or targeting Django 1.1.

  14. 

  15. For full details on the new features, backwards incompatibilities, and

  16. deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.

  17. 

  18. Backwards incompatible changes

  19. ==============================

  20. 

  21. CSRF exception for AJAX requests

  22. --------------------------------

  23. 

  24. Django includes a CSRF-protection mechanism, which makes use of a

  25. token inserted into outgoing forms. Middleware then checks for the

  26. token's presence on form submission, and validates it.

  27. 

  28. Prior to Django 1.2.5, our CSRF protection made an exception for AJAX

  29. requests, on the following basis:

  30. 

  31. * Many AJAX toolkits add an X-Requested-With header when using

  32.   XMLHttpRequest.

  33. 

  34. * Browsers have strict same-origin policies regarding

  35.   XMLHttpRequest.

  36. 

  37. * In the context of a browser, the only way that a custom header

  38.   of this nature can be added is with XMLHttpRequest.

  39. 

  40. Therefore, for ease of use, we did not apply CSRF checks to requests

  41. that appeared to be AJAX on the basis of the X-Requested-With header.

  42. The Ruby on Rails web framework had a similar exemption.

  43. 

  44. Recently, engineers at Google made members of the Ruby on Rails

  45. development team aware of a combination of browser plugins and

  46. redirects which can allow an attacker to provide custom HTTP headers

  47. on a request to any website. This can allow a forged request to appear

  48. to be an AJAX request, thereby defeating CSRF protection which trusts

  49. the same-origin nature of AJAX requests.

  50. 

  51. Michael Koziarski of the Rails team brought this to our attention, and

  52. we were able to produce a proof-of-concept demonstrating the same

  53. vulnerability in Django's CSRF handling.

  54. 

  55. To remedy this, Django will now apply full CSRF validation to all

  56. requests, regardless of apparent AJAX origin. This is technically

  57. backwards-incompatible, but the security risks have been judged to

  58. outweigh the compatibility concerns in this case.

  59. 

  60. Additionally, Django will now accept the CSRF token in the custom HTTP

  61. header X-CSRFTOKEN, as well as in the form submission itself, for ease

  62. of use with popular JavaScript toolkits which allow insertion of

  63. custom headers into all AJAX requests.

  64. 

  65. Please see the :ref:`CSRF docs for example jQuery code <csrf-ajax>`

  66. that demonstrates this technique, ensuring that you are looking at the

  67. documentation for your version of Django, as the exact code necessary

  68. is different for some older versions of Django.
About Sign Up Leave Feedback Contact