Use CSRF header on ajax calls, if available

[luismanson]

Hello, I just discovered template editor, but was unable to preview and save template edits.

After further inspection, it seems to be that in template_editor.html' all ajax calls don't use the CSRF header provided by Flask-WTF.

The code suggested in their site regarding javascript requests has no effect.

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader("X-CSRFToken", csrf_token);
        }
    }
});

I hope it can be fixed, thanks for this great tool.

[jeffwidman]

Happy to merge a PR if you or anyone else wants to dig into it.

My current work is unrelated to Flask, so won't have time to look into it myself.

[caffeinatedMike]

@jeffwideman @luismanson I also face this issue with the SQLAlchemy panel when clicking SELECT and EXPLAIN SELECT next to the queries.

I will look into correcting this and opening a PR in the next day or so.

[rimvislt]

Any update on this? Still facing this issue on master branch, so I guess it was never merged/created ?

[caffeinatedMike]

@rimvislt I haven't had the time to invest in contributing this change.

[macnewbold]

I have run into this issue as well I think, but didn't dive into debugging it yet. I'm in favor of getting a solution in place when someone has time to continue down this path.

[taoky]

A workaround in flask app init script:

# ...
app.csrf = CSRFProtect(app)
# replace the view name by the view you need -- this could be printed in flask_wtf/csrf.py `csrf_protect()` func.
app.csrf.exempt('flask_debugtoolbar.panels.sqlalchemy.sql_select')