Django: CSRF token missing in Facebook 'signed-request'

advertisements

I am working with a Django project. The aim is to import user information from facebook. For a start, I am using the registration social plugin that facebook offers. I have a basic template that includes the iframe for the registration plug-in; just the way the facebook api documentation suggests. The view that renders this template is as follows:

def registration(request):
    if (request.method == "POST"):
        return HttpResponse("it posted!")
    else:
        return render_to_response("ui/registration.html", {},
                                  context_instance=RequestContext(request))

As soon as I press register on the plugin and facebook sends my view the signed-request, Django complains about the missing csrf token. I also have tried explicitly including the csrf-token by passing it along in the context dictionary using csrf(request), however that still doesnt solve the problem. A quick response would be greatly appreciated.


CSRF protection is there to prevent cross-site posts. However, in this case you want to accept the post from Facebook so you should use the csrf_exempt decorator on your view which accepts the signed request. See the section on CSRF Exceptions: http://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#exceptions