

AJAX and Django Views - kennethlove
http://brack3t.com/ajax-and-django-views.html

======
toumhi
Very good article. Using AJAX with Django always feels a bit unnatural, as
there's no standard way to do it and everyone has its own way of dealing with
it, so it's interesting to see how others do it (in particular utility
functions). I think there are also django packages that provide an AJAXy layer
(but never used it).

It's already hinted at in the blog post, but for writing clean apps using AJAX
a lot, django-tastypie and backbone.js really do work well together (I've just
started using them in combination in my latest toy project).

~~~
kennethlove
Yeah, we have another post in the pipeline for exploring Tastypie, especially
for a) using it with Backbone, and b) using it as a simple writable API for
jQuery.

Django does seem to be fairly open-ended when it comes to AJAX, and while
there may no be standard way to do it, I think approaches like we take are a
lot more reliable than some of the others I've seen.

------
H_E_Pennypacker
That bit of CSRF javascript does not "ignore" CSRF checking, and is not
unsafe. The only difference is that it sets the CSRF token value as a request
header rather than a POST value. The browser still needs to have that CSRF
cookie value.

Edit: Code backing from middleware/csrf.py:

request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') if
request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier
for AJAX request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

~~~
chrisjones
You're right. That was an oversight on our side and we've corrected it.
Thanks.

