diff options
| author | Caio Carrara <ccarrara@thoughtworks.com> | 2016-06-24 14:58:39 -0300 |
|---|---|---|
| committer | Caio Carrara <ccarrara@thoughtworks.com> | 2016-06-27 16:32:58 -0300 |
| commit | 85094ff8caac585cbff260fe89a6f21df241fd47 (patch) | |
| tree | 6b5427a800ad9493f0639ec4fce654e1fef38ea7 /service/pixelated | |
| parent | 546c3d0ab51914645b0d5aa2890acc982949ccf6 (diff) | |
Fix xsrf-token verification in async calls
The previous behaviour only checked xsrf-token in headers, but it can be
informed in a token as well.
Diffstat (limited to 'service/pixelated')
| -rw-r--r-- | service/pixelated/resources/root_resource.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py index c9808a03..6886dda6 100644 --- a/service/pixelated/resources/root_resource.py +++ b/service/pixelated/resources/root_resource.py @@ -70,7 +70,7 @@ class RootResource(BaseResource): ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest') if ajax_request: - xsrf_header = request.getHeader('x-xsrf-token') + xsrf_header = xsrf_token or request.getHeader('x-xsrf-token') return xsrf_header and xsrf_header == xsrf_token get_request = (request.method == 'GET') |