scottkleinman
commented
10 years ago My first sense is that this is OK; I can't think of any way the Serendip-o-matic site could be abused. For a while, we had a bookmarklet functioning as a link. The code is still in view.html, commented out. This was the Save to Zotero bookmarklethttp://www.zotero.org/downloadbookmarkletcode, which, if you'll recall, only worked as a link if you had Zotero Standalone open. Given that this does involve credentials, would disabling CSRF protection prevent us from implementing a Save to Zotero function later?
On 19 September 2013 12:13, Rebecca Sutton Koeser notifications@github.comwrote:
I needed to write a bookmarklet for work and as a simpler first case to get familiar with the technology I thought I'd write a bookmarklet for serendipomatic - current functionality is to take selected text on the current page and submit it as if you had copied and pasted it into the text form.
The one caveat is that the current site doesn't allow this because Django has CSRF (Cross Site Request Forgery) protection turned on by default. I think it's probably fine to turn this off for the main form on the front page since we're not passing any sensitive data or making any updates based on it, but was hoping someone else could confirm that. Anybody know enough to weigh in? Maybe @mialondon https://github.com/mialondon or @scottkleinman https://github.com/scottkleinman or @moltudehttps://github.com/moltude?
Django CSRF docs are here: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ There's a stack overflow question about when/why this is dangerous: http://stackoverflow.com/questions/9956356/in-what-case-can-csrf-exempt-be-dangerous
Assuming someone else concurs this sounds ok, I'll make this view CSRF exempt, and add the javascript to the site so it can be called/installed from there. We'll probably need to figure out where the bookmarklet should be made available, along with some brief text to explain how to install and use.
— Reply to this email directly or view it on GitHubhttps://github.com/chnm/serendipomatic/issues/147#issuecomment-24765649 .
Scott Kleinman Professor of English Director, Center for the Digital Humanities California State University, Northridge
rlskoeser
mialondon
I needed to write a bookmarklet for work and as a simpler first case to get familiar with the technology I thought I'd write a bookmarklet for serendipomatic - current functionality is to take selected text on the current page and submit it as if you had copied and pasted it into the text form.
The one caveat is that the current site doesn't allow this because Django has CSRF (Cross Site Request Forgery) protection turned on by default. I think it's probably fine to turn this off for the main form on the front page since we're not passing any sensitive data or making any updates based on it, but was hoping someone else could confirm that. Anybody know enough to weigh in? Maybe @mialondon or @scottkleinman or @moltude ?
Django CSRF docs are here: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ There's a stack overflow question about when/why this is dangerous: http://stackoverflow.com/questions/9956356/in-what-case-can-csrf-exempt-be-dangerous
Assuming someone else concurs this sounds ok, I'll make this view CSRF exempt, and add the javascript to the site so it can be called/installed from there. We'll probably need to figure out where the bookmarklet should be made available, along with some brief text to explain how to install and use.