diff --git a/isso/js/app/api.js b/isso/js/app/api.js index 144415e..23e3102 100644 --- a/isso/js/app/api.js +++ b/isso/js/app/api.js @@ -93,6 +93,7 @@ define(["q"], function(Q) { try { xhr.open(method, url, true); xhr.withCredentials = true; + xhr.setRequestHeader("Content-Type", "application/json"); if (method === "GET") { xhr.setRequestHeader("X-Origin", window.location.origin); diff --git a/isso/views/comments.py b/isso/views/comments.py index 0fe1a0a..83a6238 100644 --- a/isso/views/comments.py +++ b/isso/views/comments.py @@ -31,6 +31,30 @@ class JSON(Response): return super(JSON, self).__init__(*args, content_type='application/json') +def xhr(func): + """A decorator to check for CSRF on POST/PUT/DELETE using a