<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <form action="/login" method="post"> <!--{% raw xsrf_form_html() %}--> <input type="text" name="message"/> <input type="submit" value="Post"/> </form> <input type="button" value="Ajax CSRF" onclick="SubmitCsrf();"/> <script src="jquery-3.1.1.js"></script> <script> function getCookie(name) { var r = document.cookie.match("\b" + name + "=([^;]*)\b"); return r ? r[1] : undefined; } function SubmitCsrf() { var nid = getCookie('_xsrf'); $.post({ url:'/csrf', data:{'k1':'v1','_xsrf':nid}, success:function (callback) { console.log(callback); } }) } </script> </body> </html>
1 #!/usr/bin/env python 2 import tornado.ioloop 3 import tornado.web 4 class MainHandler(tornado.web.RequestHandler): 5 def get(self, *args, **kwargs): 6 self.render('login.html') 7 def post(self, *args, **kwargs): 8 self.render('login.html') 9 class LoginHandler(tornado.web.RequestHandler): 10 def get(self, *args, **kwargs): 11 self.render('login.html') 12 def post(self, *args, **kwargs): 13 self.render('login.html') 14 settings = { 15 "xsrf_cookies": True, 16 } 17 application = tornado.web.Application([ 18 (r"/", MainHandler), 19 (r"/login", LoginHandler), 20 ], **settings) 21 if __name__ == '__main__': 22 application.listen(8888) 23 tornado.ioloop.IOLoop.instance().start()