Support customized CSRF token cookie name (original) (raw)

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

1. Activate SessionAuthentication for all views, or a single view.
2. Set CSRF_COOKIE_NAME to a non-default value.
3. Login.
4. Navigate to a view secured by SessionAuthentication via the Browseable API.
5. Attempt to a PATCH/POST/PUT operation.

Expected behavior

The action should be completed successfully.

Actual behavior

The action fails with HTTP status 403, and the message CSRF Failed: CSRF token missing or incorrect..

csrf.js has the cookie name hardcoded: https://github.com/tomchristie/django-rest-framework/blob/bb56ca46ed6c07db0146dbdc61c672ff25f127de/rest_framework/static/rest_framework/js/csrf.js#L36. It should instead get the cookie name from settings.