Use CSRF header on ajax calls, if available

Question

Use CSRF header on ajax calls, if available

luismanson opened this issue 4 years ago · 7 comments

Hello, I just discovered template editor, but was unable to preview and save template edits.

After further inspection, it seems to be that in template_editor.html' all ajax calls don't use the CSRF header provided by Flask-WTF.

The code suggested in their site regarding javascript requests has no effect.

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader("X-CSRFToken", csrf_token);
        }
    }
});

I hope it can be fixed, thanks for this great tool.

Answer 1 · 2022-03-26T07:10:28.000Z

Happy to merge a PR if you or anyone else wants to dig into it.

My current work is unrelated to Flask, so won't have time to look into it myself.

Answer 2 · 2022-08-18T18:36:12.000Z

@jeffwideman @luismanson I also face this issue with the SQLAlchemy panel when clicking SELECT and EXPLAIN SELECT next to the queries.

I will look into correcting this and opening a PR in the next day or so.

Answer 3 · 2022-12-05T12:18:54.000Z

Any update on this? Still facing this issue on master branch, so I guess it was never merged/created ?

Answer 4 · 2022-12-05T13:42:01.000Z

@rimvislt I haven't had the time to invest in contributing this change.

Answer 5 · 2023-11-16T00:40:56.000Z

I have run into this issue as well I think, but didn't dive into debugging it yet. I'm in favor of getting a solution in place when someone has time to continue down this path.

Answer 6 · 2024-02-06T14:46:26.000Z

A workaround in flask app init script:

# ...
app.csrf = CSRFProtect(app)
# replace the view name by the view you need -- this could be printed in flask_wtf/csrf.py `csrf_protect()` func.
app.csrf.exempt('flask_debugtoolbar.panels.sqlalchemy.sql_select')

Answer 7 · 2024-07-24T13:33:11.000Z

The same issue.