Skip to content

Commit

Permalink
Exclude reserved cookies in nextjs_request_cookies
Browse files Browse the repository at this point in the history 
Fixes #29
  • Loading branch information
@danialkeimasi
danialkeimasi committed Sep 2, 2023
1 parent bed7a6e commit ea7c26a
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion django_nextjs/render.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import warnings
from http.cookies import Morsel
from typing import Dict, Tuple, Union
from urllib.parse import quote

Expand All @@ -13,6 +14,8 @@
from .app_settings import NEXTJS_SERVER_URL
from .utils import filter_mapping_obj

morsel = Morsel()


def _get_render_context(html: str, extra_context: Union[Dict, None] = None):
a = html.find("<head>")
Expand Down Expand Up @@ -46,7 +49,8 @@ def _get_nextjs_request_cookies(request: HttpRequest):
(i.e. dont use HTTP unsafe methods or GraphQL mutations).
https://docs.djangoproject.com/en/3.2/ref/csrf/#is-posting-an-arbitrary-csrf-token-pair-cookie-and-post-data-a-vulnerability
"""
return {**request.COOKIES, settings.CSRF_COOKIE_NAME: get_csrf_token(request)}
unreserved_cookies = {k: v for k, v in request.COOKIES.items() if not morsel.isReservedKey(k)}
return {**unreserved_cookies, settings.CSRF_COOKIE_NAME: get_csrf_token(request)}


def _get_nextjs_request_headers(request: HttpRequest, headers: Union[Dict, None] = None):
Expand Down

0 comments on commit ea7c26a

Please sign in to comment.