Allow custom CSRF_HEADER_NAME setting. (#4415)

encode · lovelydinosaur · Sep 29, 2016 · Aug 12, 2016 · Aug 13, 2016 · Aug 15, 2016
commit b76984d222281e58e3105df0128141567b9a7697
diff --git a/rest_framework/renderers.py b/rest_framework/renderers.py
@@ -645,6 +645,12 @@ def get_context(self, data, accepted_media_type, renderer_context):
         else:
             paginator = None
 
+        csrf_cookie_name = settings.CSRF_COOKIE_NAME
+        csrf_header_name = getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFToken')  # Fallback for Django 1.8
+        if csrf_header_name.startswith('HTTP_'):
+            csrf_header_name = csrf_header_name[5:]
+        csrf_header_name = csrf_header_name.replace('_', '-')
+
         context = {
             'content': self.get_content(renderer, data, accepted_media_type, renderer_context),
             'view': view,
@@ -675,7 +681,8 @@ def get_context(self, data, accepted_media_type, renderer_context):
             'display_edit_forms': bool(response.status_code != 403),
 
             'api_settings': api_settings,
-            'csrf_cookie_name': settings.CSRF_COOKIE_NAME,
+            'csrf_cookie_name': csrf_cookie_name,
+            'csrf_header_name': csrf_header_name
         }
         return context
 

diff --git a/rest_framework/static/rest_framework/js/csrf.js b/rest_framework/static/rest_framework/js/csrf.js
@@ -46,7 +46,7 @@ $.ajaxSetup({
       // Send the token to same-origin, relative URLs only.
       // Send the token only if the method warrants CSRF protection
       // Using the CSRFToken value acquired earlier
-      xhr.setRequestHeader("X-CSRFToken", csrftoken);
+      xhr.setRequestHeader(window.drf.csrfHeaderName, csrftoken);
     }
   }
 });
diff --git a/rest_framework/templates/rest_framework/admin.html b/rest_framework/templates/rest_framework/admin.html
@@ -232,6 +232,7 @@ <h4 class="modal-title" id="myModalLabel">{{ error_title }}</h4>
       {% block script %}
         <script>
           window.drf = {
+            csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
             csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
           };
         </script>

diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
@@ -263,6 +263,7 @@ <h1>{{ name }}</h1>
     {% block script %}
       <script>
         window.drf = {
+          csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}"
           csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
         };
       </script>