Django CSRF fails on POST request for chrome extension only

Question

I'm requesting for a key using POST method as following,

var session_id; // to use for token based authentication

// prep
$(document).ready(function(){
  // sending a csrftoken with every ajax request
  function csrfSafeMethod(method) {
      // these HTTP methods do not require CSRF protection
      return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
  }
  if (!chrome.cookies) {
    chrome.cookies = chrome.experimental.cookies;
  }
  const csrf_from_cookies = {'url': 'https://dummy-site-xyz.com/', 'name': 'csrftoken'};
  chrome.cookies.get(csrf_from_cookies, function(res){
    csrftoken  = res.value;
    $.ajaxSetup({
      beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.url)) {
            xhr.setRequestHeader("X-CSRFToken", csrftoken);
        }
      }
    });
  });

  const sessionid = {'url': 'https://dummy-site-xyz.com/', 'name': 'sessionid'};
  chrome.cookies.get(sessionid, function(res) {
    session_id = res.value;
  });
});

// the request
$.ajax({
      type: "POST",
      crossDomain: true,
      url: 'https://dummy-site-xyz.com/profile/api/v1/awesome/key',
      data: {'sessionid': 'dummy_session_id'},
      success: function(data){
        // pass
      },
      error: function( jqXHR, textStatus, errorThrown ){
          console.log(jqXHR.responseJSON);
      }
    });

but it's been failing with, detail: "CSRF Failed: Referer checking failed - no Referer."

This works fine if request is sent,

to localhost
to devserver from local html file
to devserver from terminal

But fails from the chrome extension.

my manifest.json

"permissions": [
    .
    .
    .
    "https://dummy-site-xyz.com/*",
    .
    .
  ],

in your data you should pass `csrf_token` – Yugandhar Chaudhari Feb 12 '19 at 09:04 — Yugandhar Chaudhari, Feb 12 '19 at 09:04

Django CSRF fails on POST request for chrome extension only

0 Answers0