Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
2012.8, 4.7.0-dev, 5.0.0-dev
-
None
Description
Web services protocols which use POST requests with data encoded in other formats than url-formencoded can not pass ezformtoken validation, because it only looks in $_POST for the token.
It seems logical to support workarounds, such as checking for presence of the token as well in the query string or custom http header (rails f.e. supports both).
Bibliography
http://stackoverflow.com/questions/10719804/csrf-token-using
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
http://stackoverflow.com/questions/1090244/rails-auth-token-and-ajax
http://stackoverflow.com/questions/7203304/warning-cant-verify-csrf-token-authenticity-rails