1. Django has many limitations when detecting post behavior.
In order to prevent cross-domain request forgery security
Reference: http://www.qttc.net/201209211.html
2. Why should csrf be controlled?
The browser complies with the same-origin policy, which eliminates most forged requests, ensures the security of user information, and prevents malicious websites from stealing data. But the browser also stipulates that submitting the form is not subject to the same-origin policy.
Why is submitting a form (post) not subject to the same-origin policy?
The post behavior is considered safe by the browser. After the action request, the interface will jump, and the post body cannot obtain the returned data. But the behavior of post still works for the server. And the post behavior under ajax is controlled by the same-origin policy, and cross-domain requests cannot be made. The post body can't get anything from the returned result, all he can do is send a request to the server to execute the command described in the request, and directly change the value of the data on the server side, instead of stealing the data in the server. Therefore, the objects we want to protect are those services that can directly generate data changes, and for services that read data, CSRF protection is not required.
Reference: https://www.cnblogs.com/chenchao1990/p/5339779.html
3. What is the browser same-origin policy? What are the restrictions? How to get around it?
Homologous means that the url protocol, domain name, and port are the same. If they are not homologous, there are three behaviors that are restricted.
(1) Cookies, LocalStorage and IndexDB cannot be read.
(2) DOM cannot be obtained.
(3) AJAX requests cannot be sent
Reference: http://www.ruanyifeng.com/blog/2016/04/same-origin-policy.html