What is the sensible behaviour here?

[omkar111111]

Note that because we want to be able to POST to this view from clients that won't have a CSRF token we need to mark the view as csrf_exempt. This isn't something that you'd normally want to do, and REST framework views actually use more sensible behavior than this, but it'll do for our purposes right now.

Source: https://www.django-rest-framework.org/tutorial/1-serialization/

[charanjit-singh]

Didn't get your point

[hashlash]

I think the part being asked is the more sensible behavior on the quoted docs.

..., and REST framework views actually use more sensible behavior than this, ...

Btw @omkar111111 , it seems this discussion is more suited to the Q&A category.

[hashlash]

From what I understand, the more sensible behavior here is allowing all requests to not have a CSRF token except for session-based requests. This is due to the session-based requests usually having access to the generated CSRF token, while cross-domain doesn't.

This behavior is documented on AJAX, CSRF & CORS:

AJAX requests that are made within the same context as the API they are interacting with will typically use SessionAuthentication. This ensures that once a user has logged in, any AJAX requests made can be authenticated using the same session-based authentication that is used for the rest of the website.

AJAX requests that are made on a different site from the API they are communicating with will typically need to use a non-session-based authentication scheme, such as TokenAuthentication.

And the corresponding code:

• The CSRF exempt (on rest_framework.views.APIView.as_view function)

  django-rest-framework/rest_framework/views.py

  Line 144 in 86673a3

  return csrf_exempt(view)

• The CSRF enforcement (on rest_framework.authentication.SessionAuthentication.authentication function)

  django-rest-framework/rest_framework/authentication.py

  Line 130 in 86673a3

  self.enforce_csrf(request)