Allow custom CSRF_HEADER_NAME setting. (#4415)

tomchristie · web-flow · commit b76984d22228 · 2016-08-18T11:24:03.000+01:00
diff --git a/rest_framework/renderers.py b/rest_framework/renderers.py
@@ -645,6 +645,12 @@ def get_context(self, data, accepted_media_type, renderer_context):
         else:
             paginator = None
 
+        csrf_cookie_name = settings.CSRF_COOKIE_NAME
+        csrf_header_name = getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFToken')  # Fallback for Django 1.8
+        if csrf_header_name.startswith('HTTP_'):
+            csrf_header_name = csrf_header_name[5:]
+        csrf_header_name = csrf_header_name.replace('_', '-')
+
         context = {
             'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
             'view': view,
@@ -675,7 +681,8 @@ def get_context(self, data, accepted_media_type, renderer_context):
             'display_edit_forms': bool(response.status_code != 403),
 
             'api_settings': api_settings,
-            'csrf_cookie_name': settings.CSRF_COOKIE_NAME,
+            'csrf_cookie_name': csrf_cookie_name,
+            'csrf_header_name': csrf_header_name
         }
         return context
 
diff --git a/rest_framework/static/rest_framework/js/csrf.js b/rest_framework/static/rest_framework/js/csrf.js
@@ -46,7 +46,7 @@ $.ajaxSetup({
       // Send the token to same-origin, relative URLs only.
       // Send the token only if the method warrants CSRF protection
       // Using the CSRFToken value acquired earlier
-      xhr.setRequestHeader("X-CSRFToken", csrftoken);
+      xhr.setRequestHeader(window.drf.csrfHeaderName, csrftoken);
     }
   }
 });
diff --git a/rest_framework/templates/rest_framework/admin.html b/rest_framework/templates/rest_framework/admin.html
@@ -232,6 +232,7 @@ <h4 class="modal-title" id="myModalLabel">{{ error_title }}</h4>
       {% block script %}
         <script>
           window.drf = {
+            csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
             csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
           };
         </script>
diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
@@ -263,6 +263,7 @@ <h1>{{ name }}</h1>
     {% block script %}
       <script>
         window.drf = {
+          csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
           csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
         };
       </script>

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ $.ajaxSetup({`
`46`	`46`	`// Send the token to same-origin, relative URLs only.`
`47`	`47`	`// Send the token only if the method warrants CSRF protection`
`48`	`48`	`// Using the CSRFToken value acquired earlier`
`49`		`- xhr.setRequestHeader("X-CSRFToken", csrftoken);`
	`49`	`+ xhr.setRequestHeader(window.drf.csrfHeaderName, csrftoken);`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`	`});`