Pyjamas + Django => CSRF confusion, 403 errors

Question

I've got Pyjamas and Django running via Apache2 with mod_wsgi on Windows 7. I do not believe I'm getting issues from the setups of these things, though: the only thing that is not working is trying to POST information from Pyjamas-generated forms. Trying to use Pyjamas-generated forms in my application produces 403s (the "CSRF verification failed" error page).

I have spent hours on this and read all of the answers I could find on here related to CSRF and Pyjamas, and done a lot of external research just on CSRF and Django, Django and Ajax, etc. If this question isn't reaching anyone who has knows just what to do in this situation, I think I've whittled down the essence of the question.

How would one get the {% csrf_token %} into the Pyjamas-generated form? It seems like it might be impossible, because from what I understand CSRF tokens are not persistent, which a Pyjamas-generated page is ... My Pyjamas page is generated from a Pyjamas .py file, resulting in a folder full of hard-coded stuff. How is it that I would integrate the current CSRF token into that already-coded form?

Please don't hesitate to ask for more details, this issue has been incredibly hard to navigate. None of the published information on integrating Pyjamas & Django regards this; and the only solutions I've found that seem aware of CSRF in Django say you should probably just disable CSRF protection (which I could do, but what protection could I put in place of it? My own cookie system? Is it a terrible idea to disable CSRF protection in any case?).

Thank you!

Answer 1

You'll need to write some JavaScript to get the CSRF token from the cookie (part of the HTTP request), then add it to the form on submit.

Look at this answer for a starting point: Django CSRF check failing with an Ajax POST request

The key here is that the JavaScript can be as persistent as your Pyjamas-generated files, because they defer handling the token until the form is submitted.