[PATCH 1/5] static: added JS Cookie Library to get csrftoken for fetch requests

Jonathan Nieder jrnieder at gmail.com
Tue Jul 20 11:36:53 AEST 2021


Raxel Gutierrez wrote:

> As per Django docs[1], the library is useful to add csrftoken when
> making AJAX requests in JavaScript. More details in the README GitHub
> link provided.
> [1] https://docs.djangoproject.com/en/3.2/ref/csrf/#ajax
> Signed-off-by: Raxel Gutierrez <raxel at google.com>
> ---

The first thing I wonder when looking at the description above is "why
wasn't this needed before"?

There are no existing users of document.cookie in patchwork.  Is the
point that all existing code uses {% csrf_token %} in forms generated
by the server instead of dynamically generated requests?  If so, makes

> --- /dev/null
> +++ b/htdocs/js/js.cookie-2.2.1.min.js
> @@ -0,0 +1,3 @@
> +/*! js-cookie v2.2.1 | MIT */

How do we decide between this going in lib/packages/ versus

(That's a genuine question --- I don't understand patchwork's current
split.  Is the idea that lib/packages/ is supposed to contain a
package with a README and htdocs/js/ is supposed to contain symlinks
to there?)

> --- a/templates/base.html
> +++ b/templates/base.html
> @@ -21,6 +21,7 @@
>    <script src="{% static "js/bootstrap.min.js" %}"></script>
>    <script src="{% static "js/selectize.min.js" %}"></script>
>    <script src="{% static "js/clipboard.min.js" %}"></script>
> +  <script src="{% static "js/js.cookie-2.2.1.min.js" %}"></script>

Should this use an unversioned URL like the rest of these?

Also, how do we decide between putting this in base.html (i.e., all
pages) versus specific pages making requests that need a csrf token?
The script is small enough that it shouldn't make a difference, but
asking anyway because I am curious.


More information about the Patchwork mailing list