Very good article. Using AJAX with Django always feels a bit unnatural, as there's no standard way to do it and everyone has its own way of dealing with it, so it's interesting to see how others do it (in particular utility functions). I think there are also django packages that provide an AJAXy layer (but never used it).
It's already hinted at in the blog post, but for writing clean apps using AJAX a lot, django-tastypie and backbone.js really do work well together (I've just started using them in combination in my latest toy project).
Yeah, we have another post in the pipeline for exploring Tastypie, especially for a) using it with Backbone, and b) using it as a simple writable API for jQuery.
Django does seem to be fairly open-ended when it comes to AJAX, and while there may no be standard way to do it, I think approaches like we take are a lot more reliable than some of the others I've seen.
That bit of CSRF javascript does not "ignore" CSRF checking, and is not unsafe. The only difference is that it sets the CSRF token value as a request header rather than a POST value. The browser still needs to have that CSRF cookie value.
Edit: Code backing from middleware/csrf.py:
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
if request_csrf_token == "":
# Fall back to X-CSRFToken, to make things easier for AJAX
request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
[+] [-] toumhi|14 years ago|reply
It's already hinted at in the blog post, but for writing clean apps using AJAX a lot, django-tastypie and backbone.js really do work well together (I've just started using them in combination in my latest toy project).
[+] [-] kennethlove|14 years ago|reply
Django does seem to be fairly open-ended when it comes to AJAX, and while there may no be standard way to do it, I think approaches like we take are a lot more reliable than some of the others I've seen.
[+] [-] H_E_Pennypacker|14 years ago|reply
Edit: Code backing from middleware/csrf.py:
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
[+] [-] chrisjones|14 years ago|reply