CSRF token missing in Facebook's post 'signed-request'

I am working with a Django project.开发者_StackOverflow社区 The aim is to import user information from Facebook. For a start, I am using the registration social plugin that Facebook offers. I have a basic template that includes the iframe for the registration plug-in; just the way the Facebook api documentation suggests. The view that renders this template is as follows:

def registration(request):
    if (request.method == "POST"): 
        return HttpResponse("it posted!")
    else: 
        return render_to_response("ui/registration.html", {}, 
                                  context_instance=RequestContext(request))

As soon as I press register on the plugin and Facebook sends my view the signed-request, Django complains about the missing csrf token. I also have tried explicitly including the csrf-token by passing it along in the context dictionary using csrf(request), however that still doesn't solve the problem.

CSRF protection is there to prevent cross-site posts. However, in this case you want to accept the post from Facebook so you should use the csrf_exempt decorator on your view which accepts the signed request. See the section on CSRF Exceptions: http://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#exceptions

You need to do a few things for this:

1. You'll need to pass your csrf token as a parameter to your facebook request as seen at the end of their documentation:
2. Next, you'll have to decorate your view with @csrf_exempt, like Mark suggested.
3. Finally, in your view, you can verify that the csrf token is okay. You can steal some logic by taking a look at the django csrf middleware code found here.

Alternately, instead of steps 2 and 3 you can write your own middleware to check the csrf tokens coming from facebook.

look for fandjango app, especially the middleware. https://github.com/jgorset/fandjango that did it to me