sending facebook friend invitation using new javascript SDK shows 403 forbidden page but the invitation is sent successfully
In my django website, I am using the new facebook javascript SDK to allow my users to send friend invitation to their facebook friends.
But When users send the website invitation(after login & selecting friends from the facebook popup), the invitation is send successfully but users see a "403 Forbidden - Cross Site Request Forgery detected. Request aborted " page ( at the same url from which the invitation was sent). How to overcome this csrf validation.
The javascript code for the invitation( after loading the facebook SDK ):
<script>
function invitePopup() {
FB.login(function(response) {
if (response.session) {
// user successfully logged in
FB.ui({
method:'fbml.dialog',
fbml: (
'<fb:request-form action="http://{{site.d开发者_高级运维omain}}{% url account_view %}" method="post" invite="true" type="{{ site.name }}" ' +
'content="help the world by spreading good ideas. Join the move! <fb:req-choice url=\'http://{{site.domain}}{% url facebook_login %}?facebook_invitation=1\' label=\'Accept\' />" >' +
'<fb:multi-friend-selector showborder="false" bypass="cancel" actiontext="Invite your friends to join {{ site.name }}" /> '+
'</fb:request-form>'
),
size: { width:640, height:480}, width:640, height:480
});
$(".FB_UI_Dialog").css('width', $(window).width()*0.8); // 80% of window width
} else {
// user cancelled login
}
});
}
</script>
and the triggering part:
<a href="#" onclick="invitePopup();" class="facebook">Invite your Facebook friends to join {{ site.name }} </a>
There is a workaround I've tried i.e. using csrf_exempt decorator for the view. But I don't want to use it because I'm using more forms in that view which needs csrf protection.
you can include crsf_token like this:
FB.ui({
method:'fbml.dialog',
fbml: (
'<fb:request-form action="http://{{site.domain}}{% url account_view %}" method="post" invite="true" type="{{ site.name }}" ' +
'content="help the world by spreading good ideas. Join the move! <fb:req-choice url=\'http://{{site.domain}}{% url facebook_login %}?facebook_invitation=1\' label=\'Accept\' />" >'
+ "{% csrf_token %}"+
'<fb:multi-friend-selector showborder="false" bypass="cancel" actiontext="Invite your friends to join {{ site.name }}" /> '+
'</fb:request-form>'
),
size: { width:640, height:480}, width:640, height:480
});
Works perfect for me.
Hf
精彩评论